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ABSTRACT 


This  thesis  presents  an  implementation  of 
multiprogramming  and  process  management  functions  for  the 
security  kernel  of  a  distributed  multiprocessor  system.  The 
implementation  is  based  on  a  family  of  operating  systems 
designed  to  provide  controlled  access  in  a  microcomputer 
network  to  data  bases  containing  multiple  levels  of 
sensitive  information. 

Multiprogramming  improves  system  efficiency  and  creates 
a  virtual  environment  which  frees  the  remainder  of  the 
operating  system  from  a  dependence  on  processor 
configuration.  Processor  management  coordinates  the 
asynchronous  interaction  of  system  processes. 

This  implementation  describes  a  processor  multiplexing 
technique  for  a  distributed  kernel  and  presents  a  virtual 
interrupt  mechanism.  Its  structure  is  loop  free  to  permit 
future  expansion  into  more  complex  members  of  the  design 
family. 
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I.  INTRODUCTION 


The  application  of  contemporary  microprocessor 
technology  to  the  design  of  large-scale  multiple  processor 
systems  offers  many  potential  benefits.  The  cost  of 
high-power  computer  systems  could  he  reduced  drastically? 
fault  tolerance  in  critical  real-time  systems  could  he 
improved?  and  computer  services  could  he  applied  in  areas 
where  their  use  is  not  now  cost  effective.  Designing  such 
systems  presents  many  formidable  problems  that  have  not  been 
solved  by  the  specialized  single  processor  systems  available 
today . 

Specifically,  there  is  an  increasing  demand  for  computer 

* 

systems  that  provide  protected  storage  and  controlled  access 
for  sensitive  information  to  be  shared  among  a  wide  range  of 
users.  Data  controlled  by  the  Privacy  Act,  classified 
Department  of  Defence  (DoD)  information,  and  the 
transactions  of  financial  institutions  are  but  a  few  cf  the 
areas  which  require  protection  for  multiple  levels  of 
sensitive  Information.  Multiple  processor  systems  which 
share  data  are  well  suited  to  providing  such  services  -  if 
the  data  security  problem  can  be  solved. 

A  solution  to  these  problems  -  a  multiprocessor  system 
design  with  verifiable  information  security  -  is  offered  in 
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a  family  of  secure,  distributed  multi-microprocessor 
operating  systems  designed  by  O'Connell  and  Richardson  [1] . 
A  subset  of  this  family,  the  Secure  Archival  Storage  System 
(SASS)  [2,3],  has  been  selected  as  a  testbed  for  the  general 
design.  SASS  will  provide  consolidated  file  storage  for  a 
network  of  possibly  dissimilar  "host"  computers.  The  system 
will  provide  controlled,  shared  access  to  multiple  levels  of 
sensitive  information  (figure  1). 

This  thesis  presents  an  implementation  of  a  basic 
monitor  for  the  0 'Connell-Richardson  family  of  operating 
systems.  The  monitor  provides  multiprogramming  and  process 
management  functions  specifically  addressed  to  the  control 
of  physical  processor  resources  of  SASS.  Concurrent  thesis 
work  [4]  is  developing  a  detailed  design  for  a  security 
kernel  process,  the  Memory  Manager,  which  will  manage  SASS 
memory  resources. 
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A.  BACKGROUND 
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The  general  family  design  is  composed  of  a  supervisor 
and  a  security  kernel.  The  supervisor  provides  dynamic 
linking,  a  discretionary  security  policy,  demand  memory 
management,  and  a  hierarchical  file  system  in  support  of  the 
user.  The  security  kernel  manages  physical  resources  to 
provide  scheduling,  interprocess  communication  and 
synchronization,  and  a  non-discretionary  security  policy. 
The  design  is  loop-free  to  permit  the  implementation  of 
system  subsets  ranging  from  a  simple  monitor  to  a  general 
purpose  computer  utility. 

SASS  is  a  subset  of  this  system  and  does  not  require  use 

of  several  higher  levels  of  the  general  system  design. 

Dynamic  linking,  demand  segmentation,  transient  processes, 

and  a  user  domain  are  not  necessary  for  its  intended 

operation,  and  are  excluded.  The  software  of  SASS  is 

partitioned  into  two  domains.  The  security  kernel,  which  is 

the  most  privileged  domain,  manages  system  physical 

resources  in  a  manner  designed  to  prevent  unauthorized 

information  flow,  regardless  of  action  taken  by  other 

elements  in  the  system.  The  less  privileged  domain,  the 
✓ 

supervisor  [2],  provides  each  host  with  a  hierarchical  file 
system  in  which  it  may  store  and  retrieve  files  and  share 
them  with  other  hosts.  The  hosts  send  commands  and  transfer 
files  via  bidirectional  digital  links.  SASS  was  designed  for 
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implementation  of  currently  available  microprocessor 
hardware.  Multiprogramming  is  used  to  improve  system 
efficiency  and  to  create  a  virtual  environment  which  frees 
the  remainder  of  the  operating  system  from  a  dependence  on 
the  physical  processor  configuration.  Frocessor  management 
provides  a  means  of  coordinating  the  interaction  of  the 
asynchronous  processes  which  comprise  the  system.  This 
implementation  employs  a  processor  multiplexing  technique 
for  a  distributed  kernel  and  presents  a  virtual  interrupt 
mechanism.  The  modular,  hierarchical  structure  of  the 
software  is  loop-free  to  support  system  expansion  to  higher 
level  functions. 

Although  the  primary  goal  of  the  design  is  security,  the 
clean,  logical,  process-oriented  structure  of  SASS  offers 
other  benefits  as  well,  including  fault  tolerance,  resource 
configuration  independence,  and  efficiency. 

B.  COMPUTER  SECURITY 

The  need  for  providing  protection  for  information  within 
a  computer  system  is  well  documented.  Development  of  the 
security  kernel  technology  [5,6],  has  transformed  the 
operating  system  designer's  approach  from  a  game  of  wits 
with  penetrators  into  a  methodical  design  process. 

In  general,  security  is  provided  by  providing  protection 
for  information  in  accordance  with  a  specific  protection 
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policy.  In  the  case  of  computer  security  this  is 
accomplished  by  controlling  the  access  of  people  to 
information.  Although  this  protection  can  be  provided  by 
external  controls  (e.g.,  confining  the  computer  system  and 
all  its  users  within  a  physical  security  perimeter),  this 
method  is  inefficient  and  prone  to  human  error.  Furthermore, 
a  distributed  computer  network  will  probably  be  dispersed 
over  too  wide  an  area  to  be  physically  confined.  Supported 
by  the  security  kernel  approach,  an  internal  protection 
mechanism  controlled  by  the  computer  operating  system  is  a 
feasible  solution. 

1 .  Reference  Monitor 

The  concept  of  protection  is  realized  within  the 
computer  system  by  the  implementation  of  a  mathematical 
model  of  information  security.  This  model  is  based  on  an 
abstract  representation  of  security  called  the  Reference 
Monitor  [?] .  The  Reference  Monitor  describes  a  mechanism  for 
controlling  the  access  of  subjects  to  objects,  based  on  a 
set  of  access  authorizations  (figure  2). 


Reference  Monitor 


Figure  2 
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Every  time  a  subject  attempts  to  access  an  object, 
the  Reference  Monitor  checks  to  determine  if  the  subject  has 
authorization  to  perform  the  desired  operation  ( e  .g . ,  write, 
read)  on  the  object.  If  the  policy  does  not  authorize  the 
access,  the  Reference  Monitor  will  prevent  the  subject  from 
performing  the  requested  operation.  This  mechanism  is 
realized  within  the  operating  system  as  the  security  kernel. 
Several  system  features  are  required  in  order  for  the 
mechanism  to  function  correctly. 

First,  every  reference  to  information  (i.e.,  every 
access  to  primary  memory  by  the  processor)  must  go  through 
the  security  kernel. 

Second,  the  implementation  of  the  security  kernel  must 
be  an  exact  representation  of  the  mathematical  model  of 
information  security. 

Third,  the  security  kernel  must  be  tamper-proof. 

2.  Security  Policy 

The  security  policy  to  be  enforced  by  the  computer 
system  consists  of  external  laws,  rules,  regulations,  etc., 
which  establish  permissable  information  access  independent 
of  the  computer  system.  Therefore,  a  computer  system  will  be 
secure  only  with  respect  to  a  specific  security  policy.  The 
security  kernel  concept  supports  a  broad  range  of  security 
policies  that  can  be  divided  into  two  classes, 
non-dl scretionary  and  discretionary  security. 
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a.  Non-discretionary  Policy 

Non-discretionary  security  policy  uses  labels  to 
insure  only  permissable  access  of  subjects  to  objects  is 
provided.  Object  labels  reflect  object  sensitivity  and 
subject  labels  reflect  subject  authorization.  (For  example, 
National  Security  Policy  labels  include  Unclassified, 
Secret,  etc.).  A  non-discretionary  security  policy  provides 
compromise  protection  (from  unauthorized  reading),  integrity 
protection  (from  unauthorized  modification),  and  must 
prevent  information  leaks  resulting  from  indirect  access  to 
unauthorized  information  as  well.  A  non-discretionary 
security  policy  requires  that  all  subjects  and  objects  have 
labels.  Most  contemporary  computer  systems  do  not  provide 
this  explicit  labeling  and  therefore  implicitly  make  all 
access  permissable. 

b.  Discretionary  Policy 

Discretionary  security  policy  provides  a  finer 
division  of  access  by  allowing  individual  subjects  to  decide 
which  of  the  permissable  accesses,  determined  by 
non-discretionary  policy,  will  actually  be  allowed  (e.g., 
DoD's  "need  to  know").  Many  contemporary  computer  systems 
support  discretionary  security  policy  with  access  control 
lists,  file  passwords,  capability  lists  and  other 
mechanisms . 
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3 .  Security  Kernel  Design 

By  careful  interpretation  of  the  mathematical  model 
of  the  Reference  Monitor,  the  security  kernel  is  designed  to 
he  a  subset  of  operating  system  functions.  Sernel  primitives 
form  an  interface  between  this  subset  and  the  remainder  of 
the  system.  If  these  primitives  are  implemented  correctly, 
their  use  guarantees  that  information  will  be  protected  in 
compliance  with  system  security  policy,  regardless  of  any 
action  taken  by  other  portions  of  the  operating  system  or  by 
the  user.  A  more  detailed  discussion  of  the  security  model 
is  provided  in  [4,5,6]. 

C.  SCOPE  OP  THESIS 

In  this  chapter  a  subset  of  the  general  operating 
system  design,  the  Secure  Archival  Storage  System  (SASS), 
was  described.  The  concept  of  information  security  was 
examined  and  the  security  kernel  was  presented  as  a 
technically  sound  approach  to  the  problem  of  providing 
internal  computer  security. 

Chapter  Two  will  discuss  the  design  goals  of  this 
operating  system.  Junctional  design  requirements  will  be 
developed  and  the  issues  of  physical  resource  management  and 
performance  will  be  traced  to  specific  attributes  desired  in 
system  hardware.  The  rationale  behind  the  ultimate  selection 
of  Zllog's  Z8£££  Microprocessor  and  Z6£ie  memory  management 
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unit  (MKJ)  for  use  in  the  SASS  testbed  implementation  of 
this  operating  system  will  be  discussed. 

Chapter  Three  will  describe  the  high  level  design  of 
SASS  with  an  emphasis  on  the  security  kernel  design.  A  view 
of  the  user  (computer  host}  environment  as  a  collection  of 
cooperating  processes  will  be  presented,  and  the 
hierarchical  structure  of  the  distributed  kernel  modules 
will  be  examined  in  detail. 

Chapter  Four  will  present  an  implementation  of  the  SASS 
security  kernel  modules  that  provide  multiprogramming  and 
processor  management.  The  construction  of  the  virtual 
machine  environment  will  be  described  and  the  advantages  of 
a  two-level  scheduling  mechanism  will  be  explained. 

Finally  an  evaluation  of  this  implementation  will  be 
presented  with  recommendations  Tor  improving  the  design  and 
suggestions  for  follow  on  work. 


II. 


I 


El 


MCE 


OPERATING  SYSTEMS  DESIGN  CO 
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The  kernel  primitives  providing  multiprogramming  and 
process  management  form  one  of  the  smallest  and  most  basic 
subsets  in  the  family  of  operating  systems  designed  by 
O'Connell  and  Richardson  [4].  As  developed  here  they  were 
implemented  specifically  to  support  SASS.  In  general  the 
same  kernel  primitives  will  support  all  members  of  this 
design  family. 

Before  discussing  the  high  level  design  of  the  SASS 
security  kernel  and  presenting  an  implementation  of  these 
primitives,  it  is  useful  to  investigate  the  general  design 
methodology  applied  to  the  development  of  this  operating 
system.  In  this  chapter  the  design  goals  of  SASS  will  be 
analyzed  and  traced  to  functional  requirements  and  hardware 
attributes  considered  necessary  or  desirable  in  support  of 
the  system's  design  goals.  It  is  recognized  that  the 
operating  system  user  Will  probably  not  address  these  issues 
directly  when  specifying  system  design  goals.  The  material 
presented  here  concerns  the  approach  of  the  system  designer 
to  the  definition  of  requirements  implicitly  related  to  user 
design  goals. 


A.  DESIGN  PHILOSOPHY 


Two  issues  confront  the  operating  system  designer. 
First,  he  must  provide  system  functions  which  support  the 
services  requested  by  the  user.  These  functional 
requirements  affect  the  logical  design  of  the  system. 
Second,  he  must  address  issues  of  cost  and  performance.  Cost 
and  other  management  considerations  will  not  he  addressed 
here.  Performance  issues  concern  the  management  of  physical 
resources  and  ultimately  can  he  reduced  to  hardware 
requirements . 

There  is  a  considerable  amount  of  literature  devoted  to 
the  development  of  the  functional  design  of  operating 
systems.  Dijkstra  [6]  has  described  a  technique  for  reducing 
the  complexity  of  the  design  by  allocating  operating  system 
activities  to  a  number  of  cooperating  processes.  Process 
structure  is  simplified  in  turn  by  defining  its  functions  in 
levels  of  increasing  abstraction  and  by  applying  the 
principles  of  structured  programming. 

Yadnick  and  Donovan  [9]  have  described  an  operating 
system  as  a  hierarchical  extended  machine.  Program  modules 
are  added  to  the  system  hardware  to  provide  many  extended 
instructions  in  addition  to  the  hardware  instructions 
available  on  the  bare  machine.  In  complex  systems  one 
extended  machine  may  be  constructed  upon  another  to  form  a 
system  composed  of  levels  of  abstract  (virtual)  machines. 
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Saltzer  [1?]  and  Reed  [11,  12]  have  discussed  the 
advantages  of  resource  virtualization  and  have  described 
some  useful  interprocess  communication  mechanisms.  The 
general  design  strategies  presented  in  this  and  other 
research  aid  the  operating  system  designer  in  developing 
system  functions  in  a  clean,  logical,  verifiable  design. 

The  selection  of  an  appropriate  computer  architecture, 
which  supports  both  functional  requirements  and  the 
efficient  management  of  physical  resources,  often  proves  to 
be  a  more  difficult  issue.  Frequently  operating  systems 
design  is  shaped  by  the  capabilities  of  system  hardware. 
This  may  be  a  result  of  performance  limitations  or  cost  of 
available  hardware,  but  often  this  course  is  taken  because 
traditionally,  system  design  begins  with  hardware.  Since  a 
primary  goal  in  operating  systms  design  is  to  create  a 
specific  operational  environment  for  the  user,  it  would 
appear  to  be  preferable  to  design  from  the  desired 
environment  "down  to"  the  hardware.  In  this  way  all 
components  of  the  system,  software  and  hardware  alike,  are 
evaluated  in  the  light  of  the  ultimate  goals  of  the  system, 
and  any  incompatabili ties  between  required  functions  and 
hardware  capabilities  will  be  discovered  early  in  the 
design.  Then,  if  modifications  are  required,  design  changes 
can  be  made  at  a  high  level  which  will  preserve  design 
integrity.  LSI  technology  currently  provides  a  wide  variety 
of  relatively  inexpensive  microprocessor  hardware  from  which 
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to  select  specific  physical  components,  furthermore,  it  is 
often  feasible  to  design  special  purpose  hardware  to 
specification.  So  the  traditional  restrictions  on  hardware 
versatility  in  systems  design  need  not  apply  in  many  cases 
to  microprocessor  systems. 

In  summary,  the  top-down  design  philosophy  can  be 
applied  to  operating  systems  design  in  the  following  manner: 

1.  Identify  general  and  specific  design  goals. 

2.  Derive  functional  design  requirements. 

3.  Identify  performance  requirements. 

4.  Select  system  hardware. 

5.  Develope  kernel  software. 

6.  Develope  the  remainder  of  the  0/S  software. 

3.  general  design  goals 

Although  many  design  goals  depend  upon  specific  system 
application,  there  appear  to  be  some  attributes  desirable  in 
all  operating  systems. 

1 .  logical  Structure 

Computer  system  design  is  an  engineering  problem  and 
the  tools  of  the  engineering  design  process  should  be 
applied  to  the  development  of  software  as  well  as  hardware 
[13] .  Clarity  should  be  a  major  goal  of  any  design  for  if 
the  operating  system  cannot  be  understood  easily  it  will  be 
difficult  to  test,  difficult  to  maintain,  and  its 
correctness  will  always  be  in  doubt.  A  sound  enginering 
design  philosophy  is  not  guaranteed  to  generate  error  free 
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systems,  but  if  system  functions  are  cleanly  organized  and 
well  understood,  then  it  is  likely  that  there  will  be  few 
errors  and  these  can  he  corrected  without  difficulty  when 
discovered . 


2.  ?ault  Tolerence 


If  an 

operating 

system 

is  to  he 

reliable,  the 

software 

it 

uses  must 

he  protected  from 

damage  whenever 

possible 

.  In 

particular. 

tasks 

performed 

hy  the  system 

should  he  isolated  from  another  so  that  a  malfunction  (e.g., 
as  the  result  of  hardware  failure)  in  one  task  has  no  effect 
on  others. 

3.  Efficiency 


The  efficient  use  of  physical  resources  (processors, 
memory,  periphals,  etc.)  continues  to  he  a  primary  design 
goal.  However,  since  hardware  is  no  longer  the  scarce, 
expensive  commodity  it  once  was,  a  concern  for  overall 
system  efficiency  (i.e.,  higher  thorugh-put,  faster  response 
time)  may  he  more  important.  With  appropriate  component 
selection  many  software  functions  can  he  replaced  hy 
hardware  functions  that  can  provide  an  improvement  in  system 
performance  at  a  small  additional  hardware  expense. 


C.  SPECIFIC  DESIGN  GOALS 


and 


The  family  of  operating  systems  designed  hy  O'Connell 
Richardson  provides  all  of  the  services  expected  of  a 
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state  of  the  art,  general  purpose  operating  system,  yany  of 
these  general  services  are  not  necessary  in  the  SASS  subset 
of  the  family.  The  number  of  processes  required  by  c  ASS  is 
determined  by  the  number  of  host  computers  linked  to  SASS 
hardware.  A  design  choice  was  made  to  fix  this  number  at 
system  generation  time.  Therefore  dynamic  process  management 
is  not  required?  SASS  processes  exist  for  the  life  of  the 
system.  A  primary  function  of  SASS  is  the  transfer  of  files 
between  host  computers  and  SASS  via  bidirectional  digital 
links.  As  a  result,  the  system  will  have  a  low  transaction 
rate,  and  the  relatively  fast  response  time  desired  in  a 
time-sharing  system  i_  not  required  here.  Sass  does  not 
provide  programming  services  to  users;  the  system  strictly 
manages  an  archival  storage  system.  This  eliminates  the 
requirement  for  a  user  domain  and  because  the  demands  on 
primary  memory  are  not  excessive,  there  is  no  need  for 
dynamic  memory  management. 

Other  services  of  the  general  system  provide 
essential  support  to  SASS.  These  services  include  I/O 
management,  file  management,  and  the  physical  resource 
management  and  information  protection  functions  provided  by 
the  security  kernel. 

The  SASS  requirement  to  provide  multiple  host  computers 
(users)  with  controlled,  shared  access  to  a  multilevel 
secure  "data  warehouse"  leads  to  several  design  goals.  These 
include:  internal  security  to  proctect  information  in  a 


districted  computer  network?  configuration  independence  for 
system  versatility?  and  a  subsetting  capability  to  support 
future  system  expansion  to  more  complex  members  of  the 
design  family. 

1.  Internal  Security 

A.  unique  feature  of  SASS  is  the  specification  of 
multilevel  security  as  a  primary  design  goal.  Multilevel 
security  provides  controlled  sharing  of  information  of 
varying  sensitivity  among  many  users  in  accordance  with  an 
access  policy  implemented  internally  by  the  operating 
system.  It  is  essential  that  a  system  supporting  a  remotely 
accessed  data,  base  containing  information  of  different 
access  classes  be  provided  with  an  internally  enforced 
security  policy. 

2.  Configuration  Independence 

The  resource  configuration  of  a  multicomputer  system 
is  highly  changeable.  Processors  are  added  and  removed? 
memory  is  reconfigured?  interconnection  schemes  are  altered 
and  peripheral  equipment  is  changed.  The  operating  system 
of  such  a  design  should  be  sufficiently  flexible  to  permit 
maintenance  and  to  allow  for  growth  and  reconfiguration 
without  requiring  drastic  system  redesign  or  noticeably 
affecting  the  user's  environment. 

3.  Sub-setting  Capability 

Operating  system  "sub-setting”  refers  to  the  ability 
to  form  meaningful  subsets  of  the  design  by  eliminating  many 
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of  the  services  that  can  be  provided  by  the  system  without 
affecting  the  usefulness  of  the  remainder  of  the  system. 
Sub-setting  permits  the  system  to  be  tailored  to  fit  a 
number  of  specific  designs  ranging  from  a  simple  monitor  to 
a  full  service  time-shared  computer  utility.  The 
implementation  presented  in  this  thesis  creates  a  monitor 
that  provides  multiprogramming  and  processor  management. 
This  subset  supports  more  complex  family  members  of  the 
design  such  as  SASS. 

D.  DESIGN  REQUIREMENTS 

In  a  top-down  approach  to  design,  goals  are  clarified 
and  defined  by  requirements  which  describe  either  the  system 
functions  or  address  cost  and  performance  issues  (hardware 
requirements).  The  functional  requirements  defined  below 
support  the  specific  design  goals  of  SASS  and  provide 
features  desirable  in  any  operating  system,  such  as  a 
logical  structure,  fault  tolerance,  and  efficiency  of 
operation . 

1 .  Functional  Requirements 

Functional  requirements  define  services  which  must 
be  provided  to  support  the  user's  environment, 
a.  Process  Organization 

By  designing  an  operating  system  as  a  collection 
of  cooperating  processes,  system  complexity  can  be  greatly 
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reduced  [£] .  This  is  because  the  asynchronous  nature  of  the 
system  can  be  structured  logically  by  representing  each 
independent,  sequential  task  as  a  process  and  by  providing 
interprocess  communication  mechanisms  to  prevent  races  and 
deadlocks  during  process  interactions. 

The  notion  of  a  process  provides  a  complete 
description  of  all  instructions  executed  and  all  memory 
locations  referenced  during  the  performance  of  a  task.  A 
process  is  defined  by  an  address  space  and  ar  execution 
point.  The  address  space  is  the  set  of  memory  locations 
which  could  be  accessed  during  process  execution.  (The 
process  is  viewed  as  a  past,  present  and  future  "history"  of 
memory  locations  which  actually  were  referenced.)  The 
execution  point  is  the  state  of  the  processor  at  a  given 
instant  during  process  execution.  In  the  abstract  view,  an 
address  space  is  defined  by  a  collection  to  discrete  points, 
each  representing  a  memory  word.  The  process  is  described  by 
the  path  traced  through  this  address  space  from  process 
creation  to  destruction.  In  figure  3  the  main  path  traces 
the  process  execution  point  as  it  moves  from  one  instruction 
(i.e.,  memory  word)  to  another  during  process  execution.  The 
branches  from  .  this  execution  point  path  represent  data 
references . 


Process  History 


Several  advantages  result  from  using  a  process 
oriented  design.  As  a  tool  for  dealing  with  the  asynchronous 
nature  of  system  operation,  processes  provide  a  simple, 
logical,  high-level  structure  for  the  design.  For  example, 
the  Secure  Archival  Storage  System  supports  each  host  with 
three  processes:  a  I/O  Manager,  a  File  Manager,  and  a  Memory 
Manager,  which  interact  to  provide  secure  file  management 
services  to  the  host.  This  interaction  will  be  described 
further  in  the  next  chapter.  Since  each  process  is  confined 
to  a  secific  address  space,  tasks  are  isolated  from  one 
another  and  system  fault  tolerance  is  improved.  Sy  providing 
an  internal  representation  for  each  user,  a  process  nicely 
fits  the  definition  of  a  "subject”  in  the  P.eference  Monitor 
and  therefore  supports  the  design  goal  of  providing  internal 
securl ty. 


b.  Memory  Segmentation 

The  address  space  of  a  process  is  composed  of  a 
collection  of  segments.  A  segment  is  a  logical  collection  of 
information  (e.g.,  procedure,  data  structure,  file,  etc.) 
and  is  the  basic  logical  object  of  this  design.  Figure  4 
illustrates  the  tvo-dimenti onal  nature  of  the  segment 
address.  Each  segment  consists  of  an  arbitrary  region  of 
memory  containing  a  sequence  of  *ords  with  conventional 
linear  addresses.  Tvo-dimentional  addressing  frees 
information  from  dependence  on  a  particular  memory  location 
by  making  it  arbitrarily  relocatable. 

Segmented  Addressing 
«SEG  #n»  OFFSET 

Descriptor  segment  Segment  *n 


Figure  4 


The  descriptor  segment  provides  a  list  of 
descriptors  for  all  segments  in  a  process  address  space.  In 
addition,  segmentation  supports  information  sharing  since  a 
segment  may  belong  to  more  than  one  address  space. 
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Segmention  also  provides  a  means  of  associating  logical 
attributes  and  labels  with  each  segment,  such  as  access 
class,  domain,  etc.  This  feature  supports  segments  as 
internal  representations  of  the  Reference  Monitor's 
object  . 

c.  Abstraction 

Abstraction  provides  a  method  for  reducing 
problem  complexity  by  applying  a  general  solution  to  a 
collection  of  specific  cases  [14]  .  Structured  programming 
provides  a  tool  for  creating  abstraction  in  software  design. 
By  strictly  applying  two  special  rules  in  addition  to  the 
general  principles  of  structured  programming,  a  structure 
consisting  o*  levels  of  increasing  abstraction  can  be 
constructured . 

First,  calls  cannot  be  outward  toward  higher 
levels  of  abstraction.  This  frees  lower  levels  from  a 
dependence  on  higher  levels  by  creating  a  loop-free 
structure  [15]  and  results  in  a  design  which  is  capable  of 
having  subsets. 

Second,  calls  to  lower  levels  must  be  by  special 
entry  points  or  gates.  Each  level  of  abstraction  creates  an 
virtual  hierarchical  machine  [9].  The  gate  to  each  level 
provides  a  set  of  instructions  created  for  that  virtual 
machine.  Thus  higher  levels  may  use  the  resources  of  lower 
levels  only  by  applying  the  instruction  set  of  a  lower  level 
machine.  (At  domain  boundaries,  use  of  gates  is  strictly 
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enforced  by  a  ring-crossing  mechanism,  otherwise  gate  use  is 
implicit  in  the  structure  of  the  software.)  Once  a  level  of 
abstraction  has  been  created,  the  details  of  its 
implementation  are  no  longer  an  issue.  Instead  users  see 
layers  of  virtual  machines  ,  each  defined  by  its  eitended 
instruction  set. 

Each  process  used  in  SASS  is  designed  in  levels 

of  abstraction.  When  the  rules  of  abstraction  are  applied  to 

level  (?,  the  physical  resources  of  the  system,  these 

resources  are  "virtualized".  Thus  the  first  level  of 

abstraction  creates  "virtual  processors",  "virtual  memory", 
»  „  ' 

and  virtual  devices  from  the  system's  hardware.  At  each 
higher  level  the  detail  of  the  design  is  reduced.  The  gate 
at  the  boundary  between  the  highest  level  of  the  security 
kernel  and  the  lowest  level  of  the  supervisor  provides  a 
mechanism  for  isolating  the  kernel  as  well  as  insuring  that 
each  memory  access  is  via  kernel  software.  This  mechanism  is 
implemented  in  SASS  by  a  ring-crossing  mechanism  called  the 
Gatekeeper . 

d.  Resource  Virtualization 

The  first  levels  of  abstraction  above  system 
hardware  create  virtual  representations  of  physical 
resources  (virtual  processors,  virtual  memory,  virtual 
periphals).  Since  upper  levels  of  the  design  operate  on 
these  virtual  resources,  rather  than  on  physical  resources, 
most  of  the  design  (i.e.,  everything  above  resource 


virtualization  levels)  is  independent  of  the  physical 
configuration  of  the  system.  By  providing  virtual  to  real 
resource  binding  in  the  kernel,  and  by  enforcing  entry  into 
kernel  levels  with  the  Gatekeeper,  SASS  protects  physical 
resources  from  tampering  and  insures  memory  access  only  via 
the  kernel.  As  a  result,  the  kernel  modules  of  each  process 
will  guarantee  that  the  system's  non-discretionary  security 
policy  is  enforced.  Including  in  the  kernel  only  those 
functions  essential  to  system  security  keeps  it  small  and 
reduces  the  job  of  verification  to  manageable  proportions. 

2.  Hardware  Requirements 

Virtual  resources  are  created  by  the  multiplexing  of 
various  types  of  information  on  a  physical  resource. 
Multiplexing  can  be  defined  as  the  use  of  a  single  resource 
for  different  purposes  at  different  times.  For  example  the 
physical  bus  lines  can  be  used  both  for  addresses  and  data 
during  different  times  during  the  machine  cycle.  Similarly, 
logical  users  of  a  hardware  system  can  share  resources.  The 
ability  to  multiplex  processors  and  memory  efficiently 
provides  a  mechanism  for  the  virtualization  of  these 
physical  resources. 

a.  Processor  Virtualization. 

A  virtual  processor  is  a  data  structure  that 
contains  a  complete  description  of  a  process  in  execution  on 
a  physical  processor  at  a  given  Instant.  This  description  is 
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contained  in  the  process  execution  point.  The  address  space 
of  the  process  must  he  accessable  to  the  virtual  processor 
when  it  is  loaded  on  (hound  to)  a  CPU.  To  provide  a  useful 
virtualization  capability,  the  CPU  must  have  the  ability  to 
efficiently  multiplex  process  election  points  and  address 
spaces  (i.e.,  it  must  support  multiprogramming). 

b.  Memory  Virtualization. 

In  many  memory  handling  schemes  Process  cannot 
run  unless  the  entire  address  space  is  loaded  in  primary 
memory.  This  may  require  a  large  main  memory  or  it  may 
restrict  the  size  of  the  address  space.  An  alternative  plan 
requires  an  'operating  system  which  manages  primary  and 
secondary  memory  to  create  the  illusion  of  a  memory  which  is 
larger  than  the  system's  primary  memory.  Since  the  larger 
memory  is'  only  an  illusion,  it  is  often  called  virtual 
storage.  The  logical,  relocatable,  information  objects 
created  by  memory  segmentaion,  provide  an  essential  memory 
multiplexing  mechanism  for  the  efficient  implementation  of 
virtual  storage. 

c.  Protection  Domains 

An  essential  requirement  of  internal  security  is 
that  the  security  kernel  be  isolated  from  other  elements  of 
the  system.  This  can  be  accomplished  by  the  construction  of 
protection  domains.  Protection  domains  are  used  to  arrange 
process  address  spaces  into  rings  of  different  privilege. 
This  arrangement  is  a  hierarchical  structure  in  which  the 
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most  privileged  domain  is  the  innermost  ring.  The  structure 
essentially  divides  the  address  space  into  levels  of 
abstraction  with  strictly  enforced  gates  at  the  ring 
boundaries  (Figure  5). 

SASS  Protection  Rings 

Gatekeeper 


Figure  5 

Protection  rings  may  be  created  in  software,  but 
a  hardware  implementation,  where  gate  use  is  enforced  by 
hardware,  is  much  more  efficient  ClSj . 

The  protection  provided  by  the  ring  structure  is 
not  a  security  policy.  (Security  protection  is  implemented 
by  a  lattice  structure  known  to  the  Non-discretionary 
Security  module  in  the  kernel.)  It  does,  however,  enforce 
the  hierarchy  of  the  virtual  machine  by  creating  a 
privileged  kernel  ring  within  the  supervisor  ring. 

S.  HARDWARE  SELECTION 

The  manifestation  of  an  operating  system  design  is,  of 
course,  software  in  execution  on  system  equipment.  If  system 


equipment  must  be  selected  early  in  the  design,  care  must  be 
taken  to  insure  that  overall  system  design  goals  are 
compatible  with  actual  hardware  capabilities.  If  design 
goals  must  be  met  (e.g.,  the  enforcement  of  Internal 
security  ir.  SASS),  then  actual  hardware  selection  should  be 
made  late  in  the  design  process.  Then,  even  if  a  poor 
hardware  choice  is  made,  the  penalty  for  correcting  it  will 
be  small,  since  only  the  lowest  level  of  the  design  (where 
resources  are  virtualized)  need  be  changed.  In  any  case  the 
design  of  the  operating  system  and  the  design  or  selection 
of  system  hardware  must  proceed  in  concert. 

1.  21  log  Z6031 

The  2H'Z1  is  a  general  purpose  15-tit  microprocessor 
[17]  with  an  architecture  which  supports  memory  segmentation 
and  two-domain  operations.  It  was  selected  as  the  target 
machine  for  implementation  of  the  system  because  of  the  full 
range  of  support  and  close  match  it  provided  to  design 
requirements.  These  supporting  features  are  described  below. 

a.  Memory  Segmentation 

The  CPU  can  directly  access  3M  bytes  of  address 
space  using  a  memory  segmentation  capability  provided 
externally  by  a  Memory  Management  Unit  (Z8010  MMU) .  The 
23-bit  address  required  to  address  8M  bytes  is  a  logical  two 
dimensional  address  consisting  of  a  7-bit  segment  number  and 
a  16-bit  offset.  The  memory  management  unit  converts  this 
into  a  24-bit  address  for  the  physical  memory.  The  address 
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space  can  tie  divided  into  as  many  as  126  relocatable 
segments  containing  up  to  64&  bytes  each.  Each  memory 
segment  can  be  assigned  several  attributes  which  provide 
memory  access  protection  (read  only  ,  system  mode  only 
(i.e.,  ring  #),  execute  only,  etc.)  and  memory  management 
data  (changed,  referenced).  With  these  capabilities  the 
Z8001  CPU  can  support  all  requirements  for  segmentation, 
memory  virtualization  and  protection  domains, 
t.  Mul t iprogramming 

Processor  multiplexing  is  supported  by  the  CPU's 
mul tiprogramming  capabilities.  MULTI-MICRO  instructions  aid 
in  establishing  a  synchronization  mechanism  (by  mutual 
exclusion)  between  multiple  processors.  Seperate  stack,  data 
and  code  address  spaces  are  maintained  for  each  ring  of 
operation.  The  load  myltiple  instruction  allows  the  contents 
of  registers  to  be  saved  and  loaded  efficiently.  These 
features  permit  efficient  storing  and  loading  of  process 
execution  points. 

Address  space  multiplexing  is  also  supported  but 
is  somewhat  inefficient.  In  some  systems,  such  as  Multics 
[IS],  a  descriptor  base  register  (DER)  is  provided  to  point 
to  a  process  descriptor  segment  in  memory,  so  changing  the 
address  space  of  the  physical  processor  is  accomplished 
merely  by  changing  the  EBR.  Since  the  Z6001  CPU  implements 
the  descriptor  segment  as  a  collection  of  descriptor 
registers  in  the  MMU ,  all  of  the  descriptors  for  the  address 

38 


space  must  be  saved  and  loaded  to  change  processes.  This  can 
make  processor  multiplexing  (multiprogramming^  quite 
inefficient.  In  the  worst  case,  when  the  entire  MMU  is  saved 
and  loaded,  a  process  switch  will  take  about  2  ms.  It  may  be 
possible  to  improve  on  this  performance  by  increasing  the 
number  of  MMU's  in  the  system.  Then  the  address  space  can  be 

v. 

changed  simply  by  switching  control  to  another  MMU . 
c.  Two-Eomain  Operations 

The  ZSm  CPU  can  operate  in  either  system  mode 


or  normal  mode.  In  the  system  mode  all  operations  are 
allowed,  but  in  the  user  mode,  certain  system  instructions 
are  prohibited.  The  system  call  instruction  allows 
controlled  entry  to  the  system  mode.  This  two-domain 
instruction  capability  supports  the  two  domain  sturcture  of 
SASS  by  providing  a  single  controlled  entry  into  the  kernel 
(SYSTEM  CALL  instruction).  The  descriptors  contained  in  the 
MMU  registers  provide  the  capability  to  partition  process 
address  spaces  into  supervisor  and  kernel  domains. 


■lection  Rationale 


The  characteristics  listed  above  -  processor 


multiplexing  support,  a  memory  segmentation  capability, 

multiple  domain  insturcti ons ,  and  multiple  domain  memory 

/ 

partitioning  -  are  features  which  are  essential  to  an 
efficient  implementation  of  SASS.  The  ZSC21  has  other 
desirable  features:  vectored  and  ron-vectored  interrupts, 
large,  powerful  instruction  set,  many  data  types,  etc.  These 
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attributes  make  the  Zilog  system  a  suitable  choice  as  a  bare 
machine  for  the  Secure  Archival  Storage  System. 


F.  SUMMARY 

This  chapter  has  provided  a  description  of  the 
methodology  employed  in  the  design  and  specification  of 
SASS.  In  particular  it  was  noted  that  a  top-down  design 
philosophy  most  effectively  supported  implementation  of 
system  design  goals.  Requirements  supporting  the  primary 
design  goal  of  internal  security  and  other  general  and 
specific  goals  were  defined  and  traced  to  desired  hardware 
capabilities.  Finally.  capabilities  of  Zilog's  Z22&.1 
microprocessor  which  support  the  SASS  design  were  described. 

Chapter  Three  will  provide  an  overview  of  the  SASS 
design.  The  design  will  be  described  from  a  process 
viewpoint  and  the  hierarchical  structure  of  the  distributed 
kernel  will  be  examined. 
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III.  SECURITY  KERNEL  DBS  ISM 


The  high  level  design  of  the  Secure  Archival  Storage 
System  can  he  described  by  a  collection  of  cooperating 
processes.  The  use  of  processes  to  perform  operating  system 
functions  greatly  simplifies  the  problem  of  describing  the 
asynchronous  manner  in  which  services  are  requested. 

A.  PROCESS  VIEW 

There  are  two  kinds  of  processes  within  SASS,  supervisor 
processes  and  kernel  processes.  Supervisor  processes  provide 
high  level  services  to  host  computers  [2],  Certain  functions 
of  the  operating  system  are  distributed  throughout  all  of 
these  processes?  that  is,  supervisor  processes  logically 
share  a  collection  of  distributed  kernel  modules.  Kernel 
processes  provide  specialized  services  within  the  operating 
system.  The  system  user  is  not  aware  of  the  existence  of 
these  processes,  but  they  are  called  upon,  within  the  kernel 
domain,  by  supervisor  processes  to  perform  necessary 
operating  system  functions  in  support  of  user  services. 


One  pair  of  supervisor  processes,  an  I/O  Manager  and 
a  File  Manager,  represents  each  computer  host  supported  by 


SASS. 

The  File  Manager  controls  SASS  and  directs  all 
interaction  between  SASS  and  computer  hosts  in  order  to 
maintain  a  structure  of  hierarchical  files  on  behalf  of  each 
host  It  interprets  commands  received  from  hosts  via  the  I/C 
Manager  ard  coordinates  tne  execution  of  requested  services 
with  assistance  from  the  I/O  Manager  and  the  Memory  Manager 
(described  below). 

The  I/O  Manager  transfers  information  via  a  link 
between  each  host  and  SASS.  Lata  is  transfered  by  fixed-size 
packets  in  command,  data,  and  synchronization  formats.  The 
I/O  Manager  provides  only  a  transfer  service  and  does  not 
interpret  the  data . 

2.  Serr.el  Processes 

The  two  kernel  processes  used  by  SASS  are  the  Memory 
Manager  and  the  Idle  process.  The  Memory  Manager  controls 
primary  and  secondary  memory.  The  design  of  this  process  is 
the  topic  of  concurrent  thesis  research  [3].  The  Memory 
Manager  transfers  segments  between  primary  and  secondary 
memory  in  response  to  requests  from  supervisor  processes. 

The  Idle  process  defines  the  "no  work"  state  of  the 
system.  SASS  attempts  to  schedule  useful  work  on  system 
processors  whenever  possible.  Only  when  there  is  no  work  to 


be  done,  (i.e.,  no  commands  pending  from  hosts)  will  this 
process  be  called  upon  to  execute. 

3.  Host  Environment 

Host  computers  view  SASS  as  a  remote  data  warehouse 
where  they  may  store  and  retrieve  files  (figure  6).  Each 
host  is  provided  with  a  virtual  file  hierarchy  constructed 
from  directory  and  data  files.  A  pair  of  SASS  supervisor 
processes  (an  I/O  Manager  and  a  File  Manager)  provide  each 
host  with  a  set  of  commands  by  which  it  may  store  and 
retrieve  files  in  its  virtual  file  system  and  share  files 
with  other  hosts.  The  distributed  kernel  functions  of  each 
process  control  the  physical  resources  of  the  system  in 
support  host  commands  and  SASS  security  policy. 


SASS  Process  Configuration 


FIGURE  6 
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E.  VIRTUAL  MACHINE  VIEW 


The  distributed  modules  of  the  security  kernel  create  a 
virtual  hierarchical  machine  which  controls  process 
interactions  and  nanages  physical  processor  resources.  The 
Kernel  is  not  aware  of  the  details  of  process  tasks.  It 
knows  each  process  only  by  a  name  (viz.,  an  entry  number  in 
a  table)  and  provides  processes  with  scheduling  and 
interprocess  communication  services  based  on  this  process 
identifier.  All  supervisor  processes  share  the  modules  of 
this  virtual  hierarchical  machine  (Figure  ?). 

The  kernel  is  constructed  in  layers  of  abstraction.  Each 
layer,  or  level,  builds  upon  the  resources  created  at  lower 
levels.  The  rules  of  abstraction  described  in  Chapter  2  were 
applied  to  the  design  of  this  structure.  Level  £  is  the  bare 
machine  which  provides  the  physical  resources  (processors 
and  storage)  upon  which  the  virtual  machine  is  constructed. 
The  remainder  of  this  chapter  will  describe  the  level  of 
virtualization  (or  layer  of  abstraction)  created  by  each 
distributed  kernel  module. 


Level-1  of  this  virtual  machine  is  the  Inner  Traffic 


Controller  Module.  This  module  creates  a  set  of  virtual 


processors  with  the  extended  instruction  set:  SIGNAL,  WAIT, 
SWAPJTDBR,  IDLE,  SST_7PRE3M?T ,  TSST_VPRE3MPT ,  and 
RUNNING  VP. 
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DISTRIBUTED  KERNEL 
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Figure  7 
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SIGNAL  and  WAIT  provide  an  interprocessor 
communication  mechanism  used  within  the  kernel  to  provide 
multiprogramming.  These  instructions  invoke  the  level-l 
scheduling  procedure,  GETWORK,  which  multiplexes  virtual 
processors  on  a  physical  processor. 

5WAF_VEBR  and  IDLE  are  instructions  invoked  from 
level-2  by  the  Traffic  Controller  Module  to  schedule 
processes  on  a  virtual  processor. 

SET_VPREEMPT  and  TEST_VPREEl*PT  create  a  virtual 
processor  interrupt  mechanism.  SST_V?REEMPT  is  invoked  from 
level-2  when  the  traffic  controller  desires  to  load  a  new 
process  on  a  virtual  processor  that  is  not  scheduled. 
TEST_VPR2SMFT  is  invoked  by  the  Gatekeeper  of  each 
distributed  process  upon  every  exit  from  the  kernel  domain. 
The  Gatekeeper  unmasks  virtual  interrupts  by  testing  the 
interrupt  flag  of  the  scheduled  virtual  processor.  If  the 
flap  is  set,  a  virtual  interrupt  handler  is  invoked, 
otherwise  the  process  enters  the  supervisor  domain  normally. 

RUNNING_VP  is  invoked  from  level-2  to  provide  the 
Traffic  Controller  with  the  identity  of  the  currently 
scheduled  virtual  processor.  The  identity  of  a  particular 
processor  must  be  known  in  the  virtual  environment,  just  as 
the  identity  of  a  physical  processor  is  required  in  a 
multiprocessor  system. 
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.  Traffic  Controller  Module 

The  Traffic  Controller  resides  at  level-2.  It 
manages  the  scheduling  of  processes  cn  virtual  processors  by 
invoicing  the  extended  instructions  of  the  virtual  processors 
in  level-1.  In  addition  to  implementing  the  level-2 
scheduling  algorithm,  the  Traffic  Controller  creates  the 
extended  instruction  set:  ADVANCE,  AWAIT,  and  FR0CESS_C1ASS . 

ADVANCE  and  AWAIT  are  used  to  implement  eventcounts 
and  sequencers  [11],  an  inter-processor  communication  (IPC) 
mechanism  invoked  by  the  supervisor.  Although  SIGNAL  and 

WAIT  provided  an  adequate  interprocessor  synchronization 

» 

mechanism  within  kernel.  Parks  [2]  determined  that 
supervisor  process  synchronization  would  be  more  effectively 
served  in  the  secure  environment  of  SASS  by  the  use  of 
eventcounts . 

FROCESS_CLASS  is  invoked  from  level-3.  It  returns 
the  label,  subject  access  class,  of  the  current  process  for 
determining  a  subject-object  relation. 

a.  Scheduling 

Scheduling  functions  are  divided  between  the 
Inner  Traffic  Controller  and  the  Traffic  Controller.  The 
Inner  Traffic  Controller  multiplexes  virtual  processors  on  a 
CPTT.  The  Traffic  Controller  schedules  processes  on  virtual 
processors . 

The  division  of  the  scheduling  algorithm  between 
these  two  levels  simplifies  its  design,  because  it  seperates 
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the  issues  of  virtual  processor  management 
(multiprogramming)  from  virtual  memory  management  [12].  A 
design  choice  was  made  to  provide  each  system  CPU  with  a 
small  fixed  set  of  virtual  processors.  Since  the  virtual 
processor  data  base  is  shared  by  all  system  CPU's,  it  must 
remain  permaently  in  global  memory. 

The  process  data  base,  used  to  implement  level-2 
scheduling  will  be  much  larger.  Since  supervisor  processors 
are  known  to  the  entire  system,  this  data  must  also  be  kept 
in  global  memory.  Because  level-2  is  subject  to  memory 
management,  this  data  could  be  kept  on  secondary  storage  and 
moved  to  primary  memory  when  requested. 

SASS  does  not  provide  dynamic  memory  management, 
therefore  the  two-level  scheduling  design  presented  here  is 
not  essential  to  the  design.  However,  the  structure  has  beer, 
provided  in  this  implementation  to  support  more  complex 
family  members  of  the  O'Connell-nichardson  design.  Figure  8 
illustrates  the  two  levels  of  scheduling  employed  by  the 
distributed  kernel. 

The  two  virtual  processors  (Mem_Mgr_VP  and 
Iile_VP  in  Figure  8)  are  permanently  bound  to  kernel 
processes  and  are  not  in  contention  for  process  scheduling. 
The  remaining  VP's  are  temporarily  bound  to  supervisor 
processes  as  determined  by  the  Traffic  Controller.  If  no 
supervisor  process  is  available,  the  Traffic  Controller 


Invokes  the  Inner  Traffic  Controller  (IDLE)  which  leads  an 
Idle  process  on  the  virtual  processor. 

The  Inner  Traffic  Controller  schedules  virtual 
processors  on  the  physical  processor.  Heady  virtual 
processors  with  temporarily  bound  idle  processes  (7P  #1  and 
VP  #2  in  Figure  £)  will  be  scheduled  only  to  give  an  Idle 
process  away  for  a  supervisor  process  (i.e.,  when  virtual 
preempt  flag  is  set).  The  Idle  process  will  actually  run 
when  the  virtual  processor  to  which  it  is  permanently  bound 
(the  Idle-VF  in  Figure  S)  is  scheduled.  This  will  happen 
only  when  all  other  VP's  are  waiting  or  temporarily  bound  to 
Idle  processes,  i.e.,  when  there  is  no  useful  work  for  the 
cpa. 
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TWO-LEVEL  SCHEDULING 


Figure  8 
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3.  Non-r lscretlonary  Security  Module 

The  Mon-Discretionary  Security  module  in  level-3 
reflects  the  system's  security  policy.  It  compares  two 
labels,  subject  and  object  access  classses,  passed  to  it  by 
other  modules,  and  returns  the  relationship  of  the  labels 
based  on  a  lattice  structure  known  to  it.  To  perform  this 
function  it  provides  the  extended  instruction,  PEIATION, 
which  is  used  by  the  Event  Manager  and  the  Segment  manager 
to  determine  access  permission.  These  modules  make  decisions 
about  access  based  on  the  relationships:  equal,  less  than, 
greater  than,  and  not  related.  The  Mon-discretionary 
Security  module  is  the  only  module  which  interprets  the 
labels  themselves.  A  different  security  policy  (e.g., 
Privacy  Act  vs  LCD)  can  be  implemented  simply  by  changing 
the  lattice  structure  used  in  this  module. 

4.  Event  Manager  Module 

The  Event  Manager  is  a  level-3  nodule  invoked  by 
supervisor  processes  via  the  gatekeeper.  This  module  creates 
a  set  of  extended  instructions:  ADVANCE,  AWAIT,  HEAD  and 
TICKET.  It  determines  the  access  permission  of  desired 
interprocess  communications  and  obtains  a  global  handle  from 
a  Memory  Manager  data  base  where  event  data  is  stored.  If 
access  is  permitted,  the  event  manager  passes  this  handle, 
which  Identifies  the  event,  to  the  Traffic  Controller  where 
the  appropriate  event  count  instruction  is  invoked.  For 
sequencer  operations  the  Memory  Manager  is  invoked  directly. 
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The  use  of  the  handle  is  necessary  because  of  the  design 
choice  to  store  event  data  in  a  data  base  of  the  Memory 
Manager  [3] .  This  insures  that  inter-domain  IFC  does  not 
violate  SASS  security  policy. 

5 .  Segment  Manager  Module 

The  Segment  Manager  also  resides  in  level-3.  This 
module  creates  a  set  of  extended  instructions  for 
manipulating  segments.  These  instructions  are:  CREATE, 
DEISTS,  SWAP_IN,  SWAP_0UT,  MAKE_KNO'.tfN .  and  TERMINATE. 
Modules  of  the  supervisor  domain  invoke  these  instructions 
to  coordinate  host  support.  CREATE  and  DELETE  add  and  remove 
segments  from  the  system.  SWAP_IN  and  SWAP_0UT  cause  a 
segment  to  be  moved  between  primary  and  secondary  memory 
(i.e.,  between  a  paged  disk  and  contiguous  memory). 
MAS3JCN0VN  and  TERMINATE  add  and  remove  a  segment  from  a 
process  address  space. 

6 .  C-atekeeper  Module 

The  Gatekeeper  exists  on  the  boundary  between  the 
kernel  and  supervisor  domains.  It  provides  the  sole  entry 
point  into  the  kernel  domain,  so  when  the  execution  point  of 
a  process  enters  the  kernel  domain  of  its  address  space  it 
must  do  so  through  the  Gatekeeper. 

The  hardware  of  the  MMU  partitions  process  address 
spaces  into  two  domains  by  setting  the  ring  number  (zero  or 
one)  in  each  segment's 
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attribute  register 


Software  provided  by  the  Gatekeeper 


perform?  the  following  additional  functions: 

Kernel  Entry 

1.  Unmask  Hardware  interrupts. 

2.  Save  supervisor  domain  register's. 

3.  Save  supervisor  stack  pointer  in  kernel  stack 
segment. 

4.  Check  arguments  and  invoke  appropriate  kernel 
entry  points. 

(Virtual  machine  instructions). 

Kernel  Exit 

1.  Invoke  TESTJTPREEMPT 

(i.e.,  umnask  virtual  interrupts). 

2.  Restore  supervisor  domain  stack  pointer. 

3.  Restore  supervisor  domain  registers. 

4.  Unmask  hardware  interrupts. 

5.  Return  to  process  execution  point  in 

in  supervisor  domain. 


C.  REVIEW 

This  chapter  has  described  the  high  level  design  of  the 
Secure  Archval  Storage  System  kernel  from  two  points  cf 
view.  In  the  process  view  the  system  is  composed  of  pairs  of 
supervisor  processes  (an  I/O  Manager  and  a  File  Manager)  for 
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each  host  computer  and  a  pair  of  kernel  processes  (a  yemor y 
Manager  and  an  Idle  process)  for  each  real  processor  in  the 
system.  The  supervisor  processes  provide  high  level  services 
to  host  computers  while  the  kernel  processes  control  system 
memory  resources  and  provide  ar.  idle  system  state. 
Distributed  kernel  functions  implement  two  levels  of 
scheduling,  provide  interprocessor  synchronization  and 
communication,  manage  segments,  and  isolate  and  protect  the 
kernel  domain  of  process  address  spaces.  The  distributed 
kernel  is  constructed  as  a  hierarchical  virtual  machine. 
Evidence  of  the  versitility  of  the  loop-free,  configuration 
independent  structure  of  this  design  car  be  observed  in 
concurrent  thesis  work  in  this  area  [19] .  An  Intel  5?36 
multiprocessor  operating  system  implementation,  based  on  the 
same  design,  uses  essentially  the  same  virtual  insturction 
set  described  in  this  chapter.  An  implementation  of  the 
first  two  levels  of  this  kernel  machine  is  presented  in  the 
next  chapter. 
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IV. 


IMPLEMENTATION 


Implementation  of  the  distributed  kernel  was  simplified 
by  the  hierarchical  structure  of  the  design  for  it  permitted 
methodical  bottom-up  construction  of  a  series  of  extended 
machines.  This  approach  was  particularly  useful  in  this 
implementation  since  the  bare  machine,  the  Z8EEE 
Developmental  Module,  was  provided  with  only  a  small  amount 
of  software  support. 

A.  EEVFIOPMFNTAL  SUPPORT 

A.  Zilog  MCZ  Developmental  System  provided  support  in 
developing  Z8EEE  machine  code.  It  provided  floppy  disk  file 
management,  a  text  editor,  a  linker  and  a  loader  that 
created  an  image  of  each  ZSEEE  load  module. 

A  Z8ECE  Developmental  Module  (DM)  provided  the  necessarv 
hardware  support  for  operation  of  a  Z8 ?i2.  ncn-segmented 
microprocessor  and  16K  words  (32K  bytes)  of  dynamic  RAM .  It 
included  a  clock,  a  USART,  serial  and  parallel  I/O  support, 
and  a  2K  PROM  monitor. 

The  monitor  provided  access  to  processor  registers  and 
memory,  single  step  and  break  point  functions,  basic  I/O 
functions,  and  a  download/upload  capability  with  the  MCZ 
system. 
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Since  a  segmented  version  of  the  processor  was  not 
available  for  system  development,  segmentation  hardware  was 
simulated  in  software  as  an  MMU  image  (see  Figure  9). 
Although  this  data  structure  did  not  provide  the  hardware 
support  (traps)  required  to  protect  segments  of  the  kernel 
domain,  it  preserved  the  general  structure  of  the  design. 

wilt_imac-e 

I 

seg 
# 

i 

Figure  9 

B.  INNER  TRAFFIC  CONTROLLER 

The  Inner  Traffic  Controller  runs  on  the  bare  machine  to 
create  a  virtual  environment  for  the  remainder  of  the 
system.  Only  this  module  is  dependent  on  the  physical 
processor  configuration  of  the  system.  All  higher  levels  see 
only  a  set  of  running  virtual  processors.  A  kernel  data 
base,  the  Virtual  Processor  Table  is  used  by  the  Inner 
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Traffic  Controller  to  create  the  virtual  environment  of  this 
first  level  extended  machine.  A  source  listinr  of  the  Inner 
Traffic  Controller  nodule  is  contained  in  Appendix  A. 

1 .  Virtual  Frocessor  Table  (VPT) 

The  VPT  is  a  data  structure  of  arrays  and  records 
that  maintains  the  data  used  hy  the  Inner  Traffic  Controller 
to  multiplex  virtual  processors  on  a  real  processor  and  to 
create  the  extended  instruction  set  that  controls  virtual 
processor  operation  (see  Figure  10).  There  is  one  table  for 
each  physical  processor  in  the  system.  Since  this 
implementation  was  for  a  uniprocessor  system  (the  Z80C0  DM), 
only  one  table  was  necessary. 

Virtual  Processor  Table 

ICC  K 

PUNNING  LIST 
PEADT  lIst 

FREE  IlST 


DBP 

PF.I 

STATE 

IDLE  FLAG 

CPU 

MSG 

MESSAGE 

SENDER 

NEXT  MSG 

INEEX 

1 

1 

Figure  10 
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The  table 


contains  a  LOCK  which  supports  an 


exclusion  mechanism  for  a  multiprocessor  system.  It  was 
provided  in  this  implementation  only  to  preserve  the 
generality  of  the  design. 

The  Eescriptor  Base  Register  (BLR )  binds  a  process 
to  a  virtual  processor.  The  DBF  points  to  an 
containing  the  list  of  descriptors  for  segments  in  the 
process  address  space. 

A  virtual  processor  (V?)  can  be  in  ore  of  three 
states:  running,  ready,  and  waiting  (figure  11'. 


Virtual  Processor  States 


A  running  VF  is  currently  scheduled  on  a  real  processor.  A 
ready  V?  is  ready  to  be  scheduled  when  selected  by  the 
level-1  scheduling  algorithm.  A  waiting  V?  is  awaiting  a 
message  from  some  other  V p  to  place  it  in  the  ready  list.  In 
the  meantime  it  is  not  in  contention  for  the  real  processor. 

2.  Ievel-1  Scheduling 

Virtual  processor  state  changes  are  initiated  by  the 
inter-virtual-urccessor  communication  mechanisms,  SIGNAL  and 
WAIT.  These  level-1  instructions  implement  the  scheduling 
policy  by  determining  what  virtual  processor  to  bind  to  the 
real  processor.  The  actual  binding  and  unbinding  is 
performed  by  a  Processor  switching  mechanism  called  SWAP_DER 
[10] .  Processor  switching  implies  that  somehow  the  execution 
point  and  address  space  of  a  new  process  are  acquired  by  the 
processor.  Care  must  be  taken  to  insure  that  the  old  process 
is  saved  and  the  new  process  loaded  in  an  orderly  manner.  A 
solution  to  this  problem,  suggested  by  Saltzer  [10],  is  to 
design  the  switching  mechanism  so  that  it  is  a  common 
procedure  having  the  same  segment  number  in  every  address 
space . 

In  this  implementation  a  processor  register  (R14) 
was  reserved  within  the  switching  mechanism  for  use  as  a 
DSP.,  Processor  switching  was  performed  by  saving  the  old 
execution  point  (  i.e.,  processor  registers  and  flag  control 
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word),  loading  the  new  DBS  and  then  loading  the  new 
execution  point.  The  processor  switch  occurs  at  the  instant 
the  DBR  is  changed  (see  figure  12).  Because  the  switching 
procedure  is  distributed  in  the  sane  numbered  segment  in  all 
address  spaces,  the  "next"  instruction  at  the  instant  of  the 
switch  will  have  the  same  offset  no  matter  what  address 
space  the  processor  is  in.  This  is  the  key  to  the  proper 
operation  of  SVA?_DBR. 


SWAP  DBR 


Process  #1 


Process  a2 


Address  space 

Address  spare 

j 

Call  SWAP  DBR 

1 

T 

Save  return  point 
on  call  stack. 

(Process  #1) 

I 

r 

Save  execution  point 

• 

• 

.  A  .. ... 

• 

processor 

switch 


1 


load  new  execution 
point  .1 


t 


Load  return  point 
from  call  stack 
(process  #2) 


Figure  12 
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To  convert  this  switching 

mechanism 

to 

segmented 

hardware 

it  is  necessary  merely 

to  replace 

SWA? 

_EEF  with 

special 

I/O  block-move  instructions 

that  save 

the 

contents 

of  the 

in  the  appropriate 

MMU_IMAGF 

and 

load  the 

contents 

of  the  new  MMU_IMAG3  into 

the  MM'J. 

a.  Getwork 

SWAP_EBP.  is  contained  within  an  internal  Inner 
Traffic  Controller  procedure  called  GETWORK.  In  addition  to 
multiplexing  virtual  processors  on  the  CPU,  GETWORI 
interprets  the  virtual  processor  status  flags,  IDLE  and 
PREEMPT,  and  modifies  VP  scheduling  accordingly  in  an 
attempt  to  keep  the  CPU  busy  doing  useful  work. 

There  are  actually  two  classes  of  idle  processes 
within  the  system.  One  class  belongs  to  the  Traffic 
Controller.  Conceptually  there  is  a  ready  level-2  idle 
process  for  each  virtual  processor  available  to  the  Traffic 
Controller  for  scheduling.  When  a  running  process  blocks 
itself,  the  Traffic  Controller  schedules  the  first  ready 
process.  This  will  be  an  idle  process  if  no  supervisor 
processes  are  in  the  ready  list. 

The  second  class  of  idle  process  exists  in  the 


kernel.  The  kernel  Idle  process  is  permanently  bound  tc  the 
lowest  priority  virtual  processor. 


The  distinction  is  made  between  these  classes 
because  of  the  need  to  keep  the  CPU  busy  doing  useful  work 
whenever  possible.  There  is  no  need  for  GETWORK  to  schedule 
a  level-2  idle  process  that  has  been  loaded  on  a  virtual 
processor,  because  the  idle  process  does  no  useful  work.  The 
virtual  processor  IDLE_?LAG  indicates  that  a  virtual 
processor  has  been  loaded  with  a  level-2  idle  process. 
GETWORK  will  schedule  this  virtual  processor  only  if  the 
PREEMPT  fla?  is  also  set.  The  PREEMPT  flae  is  a  signal  from 
the  Traffic  Controller  that  a  supervisor  process  is  now 
ready  to  run. 

Vhen  G2TW0RE  can  find  no  other  ready  virtual 
processors  with  IDLE  and  FREEST  fla«s  off,  it  will  select 
the  virtual  processor  permanently  bound  to  the  kernel  *  Idle 
process.  Only  then  will  the  Idle  process  actually  run  on  the 
CPU. 

Getwork  contains  two  entry  points.  The  first,  a 
normal  entry,  resets  the  preempt  interrupt  return  flag.  (R? 
is  reserved  for  this  purpose  within  GETWORK.)  The  second,  a 
hardware  interrupt  entry  point,  contains  an  interrupt 
handler  which  sets  the  preempt  interrupt  returr  flag.  The 
DBP.  (P.14)  must  also  be  set  to  the  current  value  by  any 
procedure  that  calls  GETWORK  in  order  to  permit  the  SWAF_EER 
portion  of  GETWORK  to  have  access  to  the  scheduled  process's 
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address  space.  Upon  completion  of  the  processor  switch, 
GETWOFK  examines  the  interrupt  return  flag  to  determine 
whether  a  normal  return  or  an  interrupt  return  is  required. 


The  hardware  interrupt  entry  point  in  GET'*0RK 
supports  the  technique  used  to  initialize  the  system.  Each 
process  address  space  contains  a  kernel  domain  stack  segment 
used  by  SVAP-DBR  in  GETWORE  to  save  and  restore  7?  states. 
For  the  same  reason  that  StfAP-BER  is  contained  in  a  system 
wide  segment  number,  the  stack  segment  ir.  each  process 
address  space  will  also  have  the  same  number  (Segment  #1  ir 
this  implementation).  Each  stack  segment  is  initially 
created  as  though  it's  process  had  been  previously  preempted 
by  a  hardware  interrupt.  This  greatly-  simplifies  the 
initialization  of  processes  at  system  generation  time.  The 
details  of  system  initialization  will  be  described  later  in 
this  chapter.  It  is  important  to  note  here,  however,  that 
GETWORE  must  be  able  to  determine  whether  it  was  invoked  by 
a  hardware  preempt  interrupt  or  by  a  normal  call,  before  it 
can  execute  a  return  to  the  calling  procedure.  This  is 
because  a  hardware  interrupt  causes  three  items  to  be  placed 
on  the  system  stack:  the  return  location  of  the  caller,  the 
flag  control  word,  and  the  interrupt  identifier,  whereas  a 
normal  call  places  only  the  return  location  on  the  stack. 
Therefore,  in  order  to  clean  up  the  stack. 


GETWORE  must 


execute  an  interrupt  return  (assembly  instruction:IRET •  if 
entry  was  via  the  hardware  preempt  handler  (i.e.,  ?.2  set). 
This  instruction  will  pop  the  three  items  off  the  stack  and 
return  to  the  appropriate  location.  If  the  interrupt  return 
flag.  R£,  is  off,  a  normal  return  is  executed. 

During  normal  operation,  SWAP-DBR  manipulates 
process  stacks  to  save  the  old  VP  state  and  load  the  new  V? 
state.  This  action  proceeds  as  fellows  (figure  13): 

1.  The  Flag  Control  Word  (FCW).  the  Stack  Pointer  (F.15) 
and  the  preempt  return  flag  (R0)  are  saved  in  the  eld 
VF's  kernel  stack. 

2.  The  D5R  (R14)  is  loaded  with  the  new  VP's  DPR.  This 
permits  access  to  the  address  space  of  the  new  process. 

3.  The  Flag  Control  Word  (FCW),  the  Stack  Pointer  (P.15) 
and  the  Interrupt  Return  Flag  (R0),  are  loaded  into  the 
appropriate  CFO  registers. 

4.  R0  is  tested.  If  it  is  set,  G3TV0RK  will  execute  an 
interrupt  return.  If  it  is  off,  a  normal  return  occurs. 


Kernel  Stack  Segments 


Old  VP  Stack  New  VP  Stack 


FIGURE  13 


By  constructing  GETWORK  in  this  way.  both  system 
initialization  and  normal  operations  can  be  handled  in  the 
same  way.  A  high  level  GETWORK  algorithm  is  giver,  in  figure 
14. 

3.  Virtual  Processor  Instruction  Set 

The  heart  of  the  SASS  scheduling  mechanism  is  the 
internal  procedure,  GETWORK.  It  provides  a  powerful  internal 
primitive  for  use  by  the  virtual  processors  and  greatly 
simplifies  the  design  of  the  virtual  processor  instruction 
set.  Virtual  processor  instructions  perform  three  types  of 
functions:  multiprogramming,  process  management  and  virtual 
interrupts . 
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GETWORK  Procedure  (CBR  =  R14) 

Begin 

Reset  Interrupt  Return  Flag  (HP) 

Skip  hardware  preempt  handler 

Hardware  Preempt  Entry: 

Set  D3R 

Save  CPU  registers 

Save  supervisor  stack  pointer 

Set  Interrupt  Return  Flag  (R0) 

Get  first  ready  VP 

Do  while  not  Select 
If  Idle  flag  is  set  then 
if  Preempt  flag  is  set  then 
select 
else 

get  next  ready  vp 
end  if 
else 
select 
end  if 
end  do 

SVAP_DER: 

Save  old  V?  registers  in  stack  segment 
Swap  dhr  (R14) 

load  new  VP  registers  in  stack  segment 

If  Interrupt  Return  Flag  is  set  then 
unlock  VPT 

simulate  GATEKEEPER  exit: 

Call  TEST_VFREFNPT 

Restore  supervvisor  registers 

Restore  supervvisor  stack  pointer 

Execute  Interrupt  Return  (IRET) 
end  if 

Execute  normal  return 
end  GETVCRK 


Figure  14 
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SIGNAL  and  WAIT  provide  synchronization  and 
communication  between  virtual  processors.  They  multiplex 
virtual  processors  on  a  CPU  to  provide  multiprogramming. 
This  implementation  used  a  version  of  the  signal  and  wait 
algorithms  proposed  by  Saltzer  [1C].  In  the  SASS  design  each 
CPU  is  provided  with  a  unique  (fixed)  set  of  virtual 
processors.  The  interaction  among  virtual  processors  is  a 
result  of  multiprogramming  them  on  the  real  processor.  Only 
one  virtual  processor  is  able  to  access  the  VP?  at  a  time 
because  of  the  use  of  the  VF.T  10CK  (SPIN_L0CK)  to  provide 
mutual  exclusion.  Therefore  race  and  deadlock  conditions 
will  not  develop  and  the  signal  pending  switch  used  by 
Saltzer  is  not  necessary. 

This  implementation  also  included  message  passing 
mechanism  not  provided  by  Saltzer.  The  message  slots 
available  for  use  by  virtual  processors  are  initially 
contained  in  a  queue  pointed  to  by  FREE-LIST.  When  a  message 
is  sent  from  one  VP  to  another,  a  message  slot  is  removed 
from  the  free  list  and  placed  in  a  FIFO  message  queue 
belonging  to  the  VP  receiving  the  message.  The  head  of  each 
VP's  message  queue  is  pointed  to  by  KSG-LIST.  Each  message 
slot  contains  a  message,  the  ID  of  the  sender,  and  a  pointer 
to  the  next  message  in  the  list  (either  the  free  list  or  the 
VP  message  list. 
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IDLE  and  SWAP_7DBR  provide  the  Traffic  Controller 


with  a  means  of  scheduling  processes  on  the  running  V?. 

SET_VPREEMPT  and  TZST_VPREEMPT  install  a  virtual 
interrupt  mechanism  in  each  virtual  processor.  When  the 
Traffic  Controller  determines  that  a  virtual  processor 
should  *>ive  up  its  process  because  a  higher  priority  process 
is  now  ready,  it  sets  the  PREEMPT  flag  in  that  VP.  Then, 
even  if  an  idle  process  is  loaded  on  the  VP,  it  will  be 
scheduled  and  will  he  loaded  with  the  first  ready  process. 
Test_7Preempt  is  a  virtual  interrupt  unmasking  mechanism 
which  forces  a  process  to  examine  the  preempt  flag  each  time 
it  exists  from  the  kernel, 
a.  Wait 

WAIT  provides  a  means  for  a  virtual  processor  to 
move  itself  from  the  running  state  to  the  waiting  state  when 
it  has  no  more  work  to  do.  It  is  invoked  only  for  system 
events  that  are  always  of  short  duration.  It  is  supported  by 
three  internal  Procedures. 

SPIN__L0CK  enables  the  running  VP  to  gain  control 
of  the  Virtual  Processor  Table.  This  procedure  is  only 
necessary  in  a  multiprocessor  environment.  The  running  VF 
will  have  to  wait  only  a  short  amount  of  time  to  gain 
control  of  the  VFT.  SFIN_L0CK  returns  when  the  VP  has  locked 
the  VPT. 
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GST WORK  loads  the  first  eligible  virtual 
processor  of  the  ready  list  on  the  real  processor.  Before 
this  orocedure  is  Invoked,  the  running  VF  is  placed  in  the 
ready  state.  Both  ready  and  running  VP's  are  members  of  a 
FIFO  queue.  G2TW0RK  selects  the  first  VP  In  this  ready  list, 
loads  It  on  the  CPU,  and  places  it  in  the  running  state. 
When  GSTWORK  returns,  the  first  VP  of  the  queue  will  always 
be  running  and  the  second  will  be  the  first  VP  in  the  ready 
queue . 


G2T_FIRST_MESSAGS  returns  the  first  message  of 
the  message  list  (also  managed  as  a  FIFO  queue)  associated 
with  the  running  VP.  The  action  taken  by  MIT  is  as  follows. 


WAIT  Procedure  (Returns:  Msg,  Sender_IIM 
Begin 


Lock  VPT  (call  SFIN_L0Cn 

If  message  list  empty  (i.e.,  no  worlr)  Then 
Move  7?  from  Running  to  Waiting  state 
Schedule  first  eligible  Ready  VP  (call  GFTWCFn 

end  if 

(NOTE:  process  suspended  here  until 
it  receives  a  signal  and  is 
selected  bu  G5TW0RI.) 

Get  first  message  from  message  list 
(call  GET_FIRST_M5G ) 

Unlock  VPT 

Return 
end  WAIT 

If  the  running  virtual  processor  calls  WAIT  and 
there  is  a  message  in  its  message  list  (placed  there  when 
another  VP  signaled  it)  it  will  get  the  message  and  continue 
to  run.  If  the  message  list  is  empty  it  will  place  itself  in 
the  wait  state,  schedule  the  first  ready  virtual  processor, 
and  move  it  to  the  running  state.  The  virtual  orocessor  will 
remain  in  the  waiting  state  until  another  running  VP  sends 
it  a  message  (via  SIGNAL).  It  will  then  move  to  the  ready 
list.  Finally  it  will  be  selected  by  GETWCRK,  the  next 
instructions  of  WAIT  will  be  executed,  it  will  receive  the 
message  for  which  it  was  waiting,  and  it  will  return  to  the 
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caller 


b.  Signal 


Messages  are  passed  between  virtual  processors 
by  the  instruction,  SIGNAL,  which  uses  four  internal 
procedures,  5PIN_LCCK,  ENTER_MSG_LIST .  MASE_?ZADT,  and 
GETW0R7 . 

SPIN_10CK,  as  explained  above  insures  that  only 
one  virtual  processor  has  control  of  the  Virtual  Processor 
Table  at  a  time. 

ENTER_MSG_LIST  manages  a  FIFO  message  queue  for 
each  virtual  Processor  and  for  free  messages.  This  queue  is 
of  fixed  maximum  length  because  of  the  implementation 
decision  tc  restrict  the  use  of  SIGNAL.  A  running  7P  can 
send  no  more  than  one  message  (SIGNAL)  before  it  receives  a 
reply  (i.e.,  *AIT's  for  a  message).  Therefore  if  thpre  are  N 
virtual  processors  per  real  processors,  the  message  queue 
length,  L,  is: 

L  =  N  -  1 

MAKE_RZADT  me  ages  the  virtual  processor  ready 
queue.  If  a  message  is  sent  to  a  VP  in  the  waiting  state, 
MAKE_RZAD7  wakes  it  up  (it  places  it  in  the  ready  state)  and 
enters  it  in  the  ready  list.  If  a  running  VP  signals  a 
waiting  VP  of  higher  priority,  it  will  place  itself  back  in 
the  ready  state  and  the  higher  priority  VP  will  be  selected. 
The  action  taken  by  signal  is  as  follows: 


SIGNAL  Procedure  (Message,  tes tina tion_VF^ 

Begin 

Lock  VFT  (call  SPURLOCK) 

Send  message  (call  ENTZR_MSG_LIST ) 

If  signaled  VP  is  waiting  Then 
Wake  it  up  and  make  it  ready 
(call  MASE_READY) 
end  i  f 

Fut  running  V?  in  ready  state. 

Schedule  first  elgihle  ready  VP 
(call  GET WORK ) 

Unlock  VFT 

Return  (Success_codel 
End  SIGNAL 

c.  SWA?_VDB? 

S WAP_VE3F  contains  the  same  processor  switching 
mechanism  used  in  SWAP_DBR,  tut  applies  it  to  a  virtual 
processor  rather  than  a  real  processor.  Switching  is  quite 
simple  in  this  virtual  environment  becaus®  both  processor 


execution 

point 

and  address  space 

are 

defined 

by 

the 

Descriptor 

Base 

Register.  SVAPJTD3R 

is 

invoked 

tv 

the 

Traffic  Controller  to  load  a  new  process  on  a  virtual 
processor  in  support  of  level-2  scheduling.  It  uses  GETWORK 
to  control  the  associated  level-1  scheduling.  The  action 
taken  hy  SWA?  VDBR  is: 


SWAFJTDBR  Procedure  (New_DIR) 

Eegin 

lock  VFT  (call  SPIN_L0CK) 

load  running  VP  with  New_DBR 

Place  running  VP  in  ready  state 

fchedule  first  eligible  ready  VP 
(call  GETWORK) 

Unlock  VPT 

Return 

End  SWAP_VD2R 

In  this  implementation  one  restriction  is  placed 
upon  the  use  of  this  instruction.  If  a  virtual  processor's 
message  list  contains  at  least  one  message,  it  can  not  give 
up  its  current  DPR.  This  problem  is  avoided  as  the  natural 
result  of  using  SIGNAL  and  WAIT  only  for  system  events,  and 
"masking”  preempts  within  the  kernel.  If  this  were 
permitted,  the  messages  would  lose  their  context.  (The 
messages  in  a  VP_MSG_LIST  are  actually  intended  for  the 
process  loaded  on  the  VP.) 
d.  IDLE 

The  IDLE  instruction  loads  the  Idle  DPP.  on  the 
running  virtual  processor.  Only  virtual  processors  in 
contention  for  process  scheduling  will  be  loaded  by  this 
instruction.  (The  Traffic 
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Controller  is  cot  even  aware  of  virtual  processors 
permanently  bound  to  kernel  processes.^ 

IDLE  has  the  same  scheduling  effect  as 
SWAF_VBBR,  hut  it  also  sets  the  IBLE_FLAG  on  the  scheduled 
VP.  The  distinction  is  made  between  the  Two  casps  because, 
although  the  Traffic  Controller  must  schedule  an  Idle 
process  on  the  VP  if  there  are  no  other  ready  processes,  the 
Inner  Traffic  Controller  does  not  wish  to  schedule  an  Idle 
VP  if  there  is  an  alternative.  This  would  be  a  waste  of 
physical  processor  resources.  The  setting  of  the  IELE_FLAG 
by  the  Traffic  Controller  aids  the  Inner  Traffic  Controller 
in  making  this  scheduling  decision.  Logically,  there  is  an 
idle  process  for  each  VP;  actually  the  samp  address  space 
(EBR)  is  used  for  all  idle  processes  for  the  same  CPU,  since 
only  one  will  run  at  a  time.  As  previously  explained, 
virtual  processors  loaded  by  this  instruction  will  be 
selected  by  GETWORK  only  to  give  the  Idle  process  away  fcr  a 
new  process  in  response  to  a  virtual  preempt  interrupt.  The 
action  of  IDIE  is: 


IDLE  Procedure 


Besin 

lock  7PT  (call  S?IN_LOCK) 

Load  running  7P  with  Idle  DBR 

Set  7P's  IILE_ELAG 

Place  running  7P  in  ready  state 

Schedule  first  elgible  ready  7P 
(call  GETWORK) 

Unlock  7PT 

Return 

End  IDLE 

e.  SET_7PREEMPT 

SET_7PREEMPT  sets  the  preempt  interrupt  flag  on 
a  specified  virtual  processor.  This  forces  the  virtual 
processor  into  level-1  scheduling  contention,  even  if  it  is 
loaded  with  an  Idle  process.  The  instruction  retrieves  an 
idle  virtual  processor  in  the  same  way  a  hardware  preempt 
retrieves  an  idle  CPU  by  forcing  the  7P  to  he  selected  hy 
GETWORK.  The  only  difference  between  the  two  cases  is  the 
entry  point  used  in  GETWORK.  The  action  of  SET_7PP.EEKPT  is: 
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SETJTPREEMPT  Procedure  (7?) 

Begin 

Set  VP's  PREEMPT  flag 

If  VP  belongs  to  another  CPU  Then 
send  hardware  interrupt 

end  if 

Return 

End  SET^VPSEEMPT 

Since  the  action  is  a  safe  sequence,  no 
deadlocks  or  race  conditions  will  arise  and  no  lock  is 
required  on  the  VFT. 

f.  TESTJTPREEMPT 

Within  the  kernel  of  a  multiprocessor  system  all 
process  interrupts  (which  excludes  system  I/O  interrupts) 
are  masked.  If  process  interaction  results  in  a  virtual 
preempt  being  sent  to  the  running  virtual  processor  by 
another  CPU,  it  will  not  be  handled  since  GSTVCRE  has 
already  been  invoked.  TEPT_7FKEEMPT  provides  a  virtual 
preempt  interrupt  unmasking  mechanism. 

TESTJTPREEMPT  mimics  the  action  of  a  physical 
CPU  when  interrupts  are  unmasked.  It  forces  the  process 
execution  point  back  down  into  the  kernel  each  time  the 
process  attempts  to  leave  the  kernel  domain,  where  the 
preempt  flag  of  the  running  VP  is  examined.  If  the  flag  is 
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off,  TEST_VPREEMPT  returns  and  the  execution  point  exits 

through  the  Gatekeeper  into  the  supervisor  domain  of  the 

process  address  space  as  described  above.  However,  if  the 

PREEMPT  flap  is  on,  the  TEST_VPP.EEMPT  executes  a  virtual 

interrupt  handler  located  in  the  Traffic  Controller.  This 

jump  from  the  Inner  Traffic  Controller  to  the  Traffic 

Controller  (TC^PREEMPT_HAhDLER)  is  a  close  parallel  to  the 

action  of  a  CPH  in  response  to  a  hardware  interrupt,  that  is 

a  Jump  to  an  interrupt  handler.  The  Traffic  Controller 

Preempt  Handler  forces  level-2  and  level-1  scheduling  to 

proceed  in  the  normal  manner.  The  preempt  handler  forces  the 

Traffic  Controller  to  examine  the  APT  and  to  apply  the 

level-2  scheduling  algorithm,  TC_GET'iOHE.  If  the  AFT  has 

been  changed  since  the  last  invocation  of  this  scheduler.  It 

will  be  reflected  in  the  scheduling  selections.  Eventually, 

when  the  running  VP's  preempt  flag  is  tested  and  found  to  be 

reset,  TSST_VPR5EM?T  will  return  to  the  Gatekeeper  where  the 

process  execution  point  will  finally,  make  a  normal  exit  into 

*  % 

its  supervisor  domain.  TEST_VFR3EMFT  performs  the  following 


action 


TES T_VFRE2MPT  Procedure 

Begin 

Do  while  running  VP's  PREEMPT  flap  is  set 
Reset  PREEMPT  flag 
Call  preempt  handler 

(call  TC_?REEMPT_KANDLE?. ) 

End  do 

Return 

End  TEST_V?REEMFT 

C.  TRAEIIC  CONTROLLER 

The  Traffic  Controller  runs  in  a  virtual  environment 
created  hy  the  Inner  Traffic  Controller.  It  sees  a  set  of 
running  virtual  processor  instructions:  S’rfA?_7DER,  IDLE, 
SET_7PREEMPT ,  and  RWNINGJTP,  and  provides  a  scheduler, 
TC_GETWORK,  which  multiplexes  processes  on  virtual 
processors  in  response  to  process  interaction.  It  also 
creates  a  level-2  instruction  set:  ADVANCE,  AVAIT,  and 
PEOCESS_CLASS ,  which  is  available  for  use  by  higher  levels 
of  the  design.  The  Traffic  Controller  uses  a  global  data 
base,  the  ACTIVE  PROCESS  TABLE  to  support  its  operation. 

1 .  Active  Process  Table  (APT) 

The  Active  Process  Table  is  a  system-wide  kernel 
database  containing  entries  for  each  supervvisor  process  in 
SASS  (Figure  15).  It  is  indexed  by  active  process  ID. 
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Active  Process  Table 


Figure  15 


The  structure  of  the  APT  closely  parallels  that  of  the 
Virtual  Processor  Table.  It  contains  a  LOCK  to  support  the 
implementation  of  a  mutual  exclusion  mechanism,  a 
RUNNING_IIST ,  and  a  READY_LIST_E3AI> .  The  Traffic  Controller 
is  only  concerned  with  virtual  processors  that  can  be  loaded 
with  supervisor  processes.  Since  two  VP's  are  permanently 
bound  to  kernel  processes  (the  Memory  Manager  and  the  Idle 
Process),  they  cannot  be  in  contention  for  level-2 
scheduling,  the  Traffic  Controller  is  unaware  of  their 
existence?  since  there  are  a  number  of  available  virtual 
processors,  the  RUNNING_IIST  was  implemented  as  an  array 
indexed  by  VP_ID.  The  READY_LIST_HEAD  points  to  a  FIFO  queue 


that  includes  both  running  and  ready  processes.  The  running 
processes  will  be  at  the  top  of  the  ready  list. 

Because  of  their  completely  static  nature,  idle 
processes  require  no  entries  in  the  APT.  Logically,  there  is 
an  idle  process  at  the  end  of  the  ready  list  for  each  7? 
available  to  the  Traffic  Controller.  If  the  ready  list  is 
empty,  TC_GETVOR£  loads  one  of  these  "virtual"  idle 
processes  by  calling  IDLE,  and  enters  a  reserved  identifier, 
#IDLE,  in  the  appropriate  RUNNING_LIST  entry.  This 
identifier  is  the  only  data  concerning  idle  processes  that 
is  contained  in  the  APT.  Idle  process  scheduling 
considerations  are  moved  down  to  level-1,  because  the  Inner 
Traffic  Controller  knows  about  physical  processors,  and  can 
optimize  CPU  use  by  scheduling  idle  processes  only  when 
there  is  nothing  else  to  do. 

The  subject  access  class,  S_CLASS,  provides  each 
process  with  a  label  that  is  required  by  level-3  modules  to 
enforce,  the  SASS  non-discretionary  security  policy. 

2.  Ievel-2  Scheduling 

Above  the  Traffic  Controller,  SASS  appears  as  a 
collection  of  processes  in  one  of  the  three  states:  running, 
ready,  or  blocked.  Sunning  and  ready  states  are  analogous  to 
the  corresponding  virtual  processor  states  of  the  Inner 
Traffic  Controller.  However,  because  of  the  use  of 
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eventcount  synchronization  mechanisms  ty  the  Traffic 
Controller,  the  blocked  state  has  a  slightly  different 
connotation  than  the  VP  waiting  state. 

Blocked  processes  are  waiting  for  the  occurrence  of 
a  non-system  event,  e.g.,  the  event  occurrence  ray  be 
signalled  from  the  supervisor  domain.  When  a  specific  event 
happens,  all  of  the  blocked  processes  that  were  awaiting 
that  event  are  awakened  and  placed  in  the  ready  state.  This 

broadcast  feature  of  event  occurrence  is  more  powerful  than 

the  message  passing  mechanism  of  SIGNAL,  which  must  be 
directed  at  a  single  recipient. 

fust  as  SIGNAL  and  WAIT  provide  virtual  processor 
mul tiplixinfr  in  level-1,  the  eventcount  functions,  ADVANCE 
and  AWAIT,  control  process  scheduling  in  level-2, 
a.  TC_GETWQRK 

Level-2  scheduling  is  implemented  in  the 

internal  Traffic  Controller  procedure,  TC_GETWORE.  This 
procedure  is  invoked  by  eventcount  functions  when  a  process 
state  change  may  have  occurred.  It  loads  the  first  ready 
process  on  the  currently  scheduled  VP  (i.e.,  the  virtual 
processor  that  has  been  scheduled  at  level-1  and  is 

currently  executing  on  the  CPU). 


TC_GSTWORE  Procedure 
Ee?in 

VP_ID  :*  RTJNN  ING_VP 

Do  while  not  end  of  ready  list 
if  process  is  running  then 
get  next  ready  process 
else 

KTTNNING_LIST  [VP_ID]  :=  PROCESSED 
Process  state  :=  running 
SWAP  VDBR 
end  i? 
end  do 

If  end  of  running  list  (no  ready  processes)  Then 
RUNNING  LIST  :  =  #IDLE 
IDLE 
end  if 

Return 

End  TC  GETWORK 


A  source  listing  of  TC_GETWORK  is  contained  in 

Appendix  E . 

h .  TC_PREEMPT_KANDLER 

Preempt  interrupts  are  masked  while  a  process  is 
executing  in  the  kernel  domain.  As  the  process  leaves  the 
kernel,  the  gatekeeper  unmasks  this  virtual  interrupt  ty 
invoking  TEST_"nREZMPT.  This  instruction  tests  the  scheduled 
VP's  PREEMPT  flag.  If  this  flag  is  off,  the  process  returns 
to  the  Gatekeeper  and  exits  from  the  kernel;  hut  if  the  flag 
is  set,  TEST_VPREEMPT  calls  the  Traffic  Controller's  virtual 
preempt  interrupt  handler,  TC_PREEMPT_KANDLE3 .  This  handler 


invokes  TC_GETWORK,  which  re-evaluates  level-2  scheduling. 
Eventually,  when  the  schedulers  have  completed  their 
functions,  the  handler  will  return  control  to  the  preempted 
process,  which  will  return  to  te  Gatekeeper  for  a  normal 
exit.  This  sequence  of  events  closely  parallels  the  action 
of  a  hardware  interrupt,  hut  in  the  environment  of  a  virtual 
processor  rather  than  a  CPU.  The  virtualization  of 
interrupts  provides  the  ability  for  one  virtual  processor  to 
interrupt  execution  of  another  that  may,  or  may  not,  he 
running  on  a  CPU  at  that  time.  This  is  provided  without 
disrupting  the  logical  structure  of  the  system.  This 
capability  is  particularly  useful  in  a  multiprocessor 
environment  where  the  target  virtual  processor  -ay  he 
executing  on  another  CPU.  3ecause  these  interrupts  will  he 
virtualized,  the  operating  system  will  retain  control  of  the 
system.  The  action  of  the  TC_PREEMPT_HANDLER  is  described  in 
the  procedure  below.  A  source  listing  is  contained  in 
Appendix  B. 


TC_PREEMPT_HANELER  Procedure 

Begin 

Call  WAIT_IOCK 

V?_ID  :=  RTTNNING_VP 

Process_ID  :=  RUNNING  LIST  [VF_ID] 

If  process  Is  not  idle  Then 
Process  state  :=  ready 
end  if 

Call  TC.GSTWORK 
Call  WAITJJNLOCK 
RETURN 

End  TC_PREEMPT_HANDLER 

WAIT_L0CE  and  WAIT_UNL0CK  provide  an  exclusion 
mechanism  which  prevents  simultaneous  multiple  use  of  the 
APT  in  a  multiprocessor  configuration.  This  mechanism 
invokes  WAIT  and  SIGNAL  of  the  Inner  Traffic  Controller. 

3.  Even  tcoun  ts 

An  eventcount  is  a  non-decreasing  integer 
associated  with  a  global  object  called  an  event  [11]  .  The 
Event  Manager,  a  level-3  module,  controls  access  to  event 
data  when  required  and  provides  the  Traffic  Controller  with 
a  HANDLE,  an  INSTANCE,  and  a  COUNT.  The  values  for  all 
eventcounts  (and  sequencers)  are  maintained  at  the  Memory 
Manager  level  and  are  accessed  by  calls  to  the  Memory 
Manager,  The  HANDLE  provides  the  traffic  controller  with  an 
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event  ID,  associated  with  a  particular  segment.  INSTANCE  is 
a  more  specific  definition  of  the  event.  For  example,  each 
SASS  supervisor  segment  has  two  eventcounts  associated  with- 
it,  a  INSTANCE_1  and  a  INSTANCE_2,  that  the  supervisor  uses 
keep  track  of  read  and  write  access  to  the  segment  [2], 
Eventcounts  provide  information  concerning  system-wide 
events.  They  are  manipulated  hy  the  Traffic  Controller 

functions  ADVANCE  and  AWAIT  and  by  the  Memory  Manager 

functions,  READ  and  TICKET.  A  proposed  high  level  design  for 
ATVANCS  and  AWAIT  is  provided  in  Appendix  C. 
a.  Advance 

ADVANCE  signals  the  occurrence  of  an  event 
(e.g.,  a  read  access  to  a  particular  supervisor  segment). 
The  value  of  the  eventcount  is  the  number  of  ADVANCE 

operations  that  have  been  performed  on  it.  When  an  event  is 
advanced,  the  fact  must  be  broadcast  to  all  blocked 

processes  awaiting  it  and  the  process  must  be  awakened  and 
placed  on  the  ready  list.  Some  of  the  newly  awakened 
processes  may  have  a  higher  priority  than  some  of  the 
running  processes.  In  this  case  a  virtual  preempt, 
SET_V?REEMPT  (V?_ID1,  must  be  sent  to  the  virtual  processors 
loaded  with  these  lower  priority  processes. 


b.  Await 

When  a  process  desired  to  block  itself  until 
a  particular  event  occurs,  it  invokes  AWAIT.  This  procedure 
returns  to  the  calling  process  when  a  specified  eventcount 
is  reached.  Its  function  is  similar  to  WAIT. 

c.  Read 

READ  returns  the  current  value  of  the 
eventcount.  This  is  an  Svent  Manager  (level  three)  function. 
This  module  calls  the  Memory  Manager  module  to  obtain  the 
eventcount  value. 

d.  Ticket 

TICKET  provides  a  complete  time-ordering  of 
possibly  concurrent  events.  It  uses  a  non-decreasing 
integer,  called  a  sequencer,  which  is  also  associated  with 
each  supervisor  segment.  As  with  READ,  this  is  an  Event 
Manager  function  that  calls  the  Memory  Manager  to  access  the 
sequencer  value.  Each  invocation  of  TICKET  increments  the 
value  of  the  sequencer  and  returns  it  to  the  caller.  Two 
different  uses  of  ticket  will  return  two  different  values, 
corresponding  to  the  order  in  which  the  calls  were  made. 

D.  SYSTEM  INITIALIZATION 

lecause  the  Inner  Traffic  Controller's  scheduler, 
GETWORK,  can  accommodate  both  normal  calls  and  hardware 
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interrupt  jumps,  the  problem  of  system  initialization  is  not 
difficult. 

When  SASS  is  first  started  at  level-1,  the  Idle  VP  is 
running  and  the  memory  manager  VP,  which  has  the  highest 
priority,  is  the  first  ready  virtual  processor  in  the  ready 
list.  All  VP's  available  to  the  Traffic  Controller  for 
level-2  schedling  are  ready.  Their  IDLE_FLAG's  and  PPEEMPT 
flags  are  set. 

At  level-2,  all  VP's  are  loaded  with  idle  processes  and 
all  supervisor  processes  are  ready. 

The  kernel  stack  segment  of  each  process  is  initialized 


to  appear  as  if  it  had  been  saved  by  a  hardware  Preempt 
interrupt  (Figure  16K 


Initialized  Stack 


Stack  Segment 


Figure  16 

All  CPtf  registers  and  the  supervisor  stack  pointer  are 
stored  on  the  stack.  R15  Is  reserved  as  the  kernel  stack 
point;  R14  contains  the  EBR.  All  other  registers  can  he  used 
to  pass  initial  parameters  to  the  process.  The  order  in 
which  these  registers  appear  on  the  stack  supports  the  Z/ASM 
block-move  instructions. 

The  status  block  contains  the  current  value  of  the  stack 
pointer,  R15,  and  the  preempt  interrupt  return  flag.  This 
flag  is  set  to  indicate  that  the  process  has  been  saved  by  a 


preempt  interrupt.  The  first  three  items  on  the  stack:  the 
process  entry  point,  the  initial  process  flag  control  word, 
and  an  interrupt  indentifier,  are  also  initialized  to 
support  the  action  of  a  hardware  interrupt. 

To  start-up  the  system,  R14  (the  DBR)  is  set  to  the  Idle 
process  DBR,  the  CPU  Program  counter  is  assigned  the 
PRESMPT_2NTRY  point  in  GETWORK }  the  CPU  Flag  Control  Word 
(FCW)  is  initialized  for  the  kernel  domain;  and  the  CPU  is 
started.  Because  the  Idle_VP  is  the  lowest  priority  VP  in 
the  system,  it  will  place  itself  hack  in  the  ready  state  and 
move  the  Memory  Manager  in  the  running  state.  The  Memory 
Manager  will  execute  an  interrupt  return  because  the 
interrupt  return  flag  was  set  by  system  initialization. 
There  will  be  no  Work  for  this  kernel  process  so  it  will 
call  WAIT  to  place  itself  in  the  waiting  state.  The  next 
ready  VP  is  idling,  but  since  it's  IDIE_FIAG  and  PREEMPT 
flag  are  set,  GETWORK  will  select  it.  It  too  will  execute  an 
interrupt  return,  but  because  its  PREEMPT  flag  is  set,  it 
will  call  TC_PREEMPT_HANDLER.  This  will  cause  the  first 
ready  process  to  be  scheduled.  Each  time  a  supervisor 
process  blocks  itself,  the  next  idle  VP  will  be  selected  and 
the  sequence  will  be  repeated. 

The  action  described  above  is  in  accord  with  normal 
operation  of  the  system.  The  only  unique  features  of 
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Initialization  are  the  entry  point  (PREEMPT-ENTRT :  in 
GETWOF.E)  and  the  values  in  the  initialized  kernel  stack. 

The  implementation  presented  in  this  thesis  has  been  run 
on  a  Z 8000  developmental  module.  System  initialization  has 
been  tested  and  executes  correctly.  At  the  current  level  of 
implementation,  no  process  multiplexing  function  is 
available.  There  is  no  provision  for  unlocking  the  APT  after 
an  initialized  process  has  been  loaded  as  a  result,  a  call 
to  the  Traffic  Ccntorller  (viz.,  ADVANCE  or  AWAIT).  In  a 
process  multiplexed  environment  this  would  cause  a  system 
deadlock.  Once  the  process  left  the  kernel  domair  with  a 
locked  APT,  no  process  would  be  able  to  unlock  it.  The 
Traffic  Controller  must  handle  this  system  initialization 
problem. 
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V.  CONCLUSION 


The  implementation  presented  in  this  thesis  created  a 
security  kernel  monitor  that  runs  on  the  ZfCZC  Level opmental 
Module.  This  monitor  supports  multiprogramming  and  process 
management  in  a  distributed  operating  system.  The  process 
executes  in  a  multiple  virtual  processor  environment  which 
is  independent  of  the  CPU  configuration. 

This  monitor  was  designed  specifically  to  support  the 
Secure  Archival  Storage  System  (SASS)  [1,  2,  3] .  However, 
the  implementation  is  based  on  a  family  of  Operating  Systems 
[4]  designed  with  a  primary  goal  of  providing  multilevel 
security  of  information.  Although  the  monitor  currently  runs 
on  a  single  microprocessor  system,  the  implementation  fully 
supports  a  multiprocessor  design. 

A.  RECOMMENDATIONS 

Because  the  Zilog  MMU  is  not  yet  available  for  the  Z80£0 
Developmental  Module,  it  was  necesary  to  simulate  the 
segmentation  hardware.  As  explained  in  Chapter  IV,  this  was 
accomplished  by  reserving  a  CPU  register,  S14,  as  a 
Descriptor  Base  Register  (DBR)  to  provide  a  link  to  the 
loaded  addresss  space.  When  the  MMU  becomes  available,  this 
simulation  must  be  removed.  This  can  be  done  in  two  steps. 


First,  the  addressing  format  must  be  translated  to  the 
segmented  form.  This  requires  no  system  redesign. 

Second,  the  switching  mechanism  most  be  modified  to 
accomodated  to  use  the  MMU.  This  can  be  done  by  modifying 
the  SVAP_DB3  portion  of  GETWORK  to  multiplex  the  MMU_IMAGE 
onto  the  MMU  hardware  and  this  can  be  accomplished  by 
changing  about  a  dozen  lines  of  the  existing  code. 

B.  F0II0W  ON  WORK 

Although  the  monitor  appears  to  execute  correctly,  it 
has  not  been  rigorously  tested.  Before  higher  levels  of  the 
system  are  added,  it  is  essential  that  the  monitor  be  highly 
reliable.  Therefore  a  formal  test  and  evaluation  plan  should 
be  developed. 

An  automated  system  generation  and  initialization 
mechanism  is  also  required  if  the  monitor  to  be  is  a  useful 
tool  in  the  development  of  higher  levels  of  the  design. 

Once  the  monitor  has  been  proven  reliable  and  can  be 
loaded  easily,  work  on  the  implementation  of  the  Memory 
Manager  kernel  process  and  the  remainder  of  the  kernel  can 
continue . 
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APPENDIX  A 
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APPENDIX  C 


ADVANCE  Procedure  (HANDLE,  INSTANCE) 

Begin 

Call  WAIT_LOCK  (APT) 

1  wake  up  ! 

PROCESS  :«  EVENT_LIST_HEAD  (HANDLE,  INSTANCE) 

COUNT  :*  MM_ADVANCE__COUNT  (HANDLE,  INSTANCE) 

!  make  ready  ! 

Do  while  not  end  of  READY  LIST 
If  PROCESS. COUNT  <»  COUNT  THEN 
Call  MAKE  READY 
end  if 
end  do 

!  initialize  preempt  array  ! 

Do  for  VP  ID  «  1  TO  #NR  VP 
RUNNING  LIST  [VP  ID] .PREEMPT  :«  #TRUE 
end  do 

!  find  preempt  candidates  ! 

CANDIDATES  :«  0 

PROCESS  :«  READY_LIST_HEAD 

Do  (for  VP_ID  *  *  1  to  #NR_VP )  and  not  end  READY_LIST 

If  PROCESS  «  #RUNNING  THEN 
RUNNING  LIST  [VP  ID} .PREEMPT  :*  #PALSE 
else 

CANDIDATE  :«  CANDIDATE  +1 
end  if 

Get  next  ready  process 
end  do 
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!  preempt  candidates  ! 

Do  for  VP  ID  1  to  CANDIDATES 
If  RUNNING  VP  [VP  ID]  *  #TRUE  Then 
Call  SET_VPREEMPT  (VP_ID) 
end  if 
end  do 

Call  VAITJJNIOCK  (APT) 

Return 
End  ADVANCE 


AWAIT  Procedure  (HANDLE,  INSTANCE,  COUNT) 

Begin 

Call  WAIT_I0CK  (APT) 

7P_ID  RUNNING_7P 

PROCESS  :«  RUNNING_LIST  [7P_ID] 

CURRENT_COUNT  :«  MM_READ_COUNT  (HANDLE,  INSTANCE) 

If  CURRENT  COUNT  <  COUNT  Then 

Call  THRElD  BLOCKED  LIST  (HANDLE,  INSTANCE,  PROCESS) 

PROCESS. HANDLE  :*  HANDLE 

PROCESS. INSTANCE  s»  INSTANCE 

PROCESS. COUNT  :*  COUNT 

PROCESS. STATE  :  =  #BLOCKED 


Call  TC  GETWORK 
end  if 

Return 

End  AWAIT 
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